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1 . INTRODUCTION 

This report is the fourth Semi-Annual Status Report on the 
research project "Models and Techniques for Evaluating the 
Effectiveness of Aircraft Computing Systems" being conducted for 
the NASA Langley Research Center under NASA Grant 1306. The 
subject grant was initiated 1 May 1976 for. a one year period and 
extended 1 May 1977 for a second one year period. This report 
concerns work accomplished during the second half of the second 
year (which included a one month no-cost extension' at' the end of 'the 
year), that is, the period from 1 November 1977 to. -31 May 1978, 
hereafter referred to as the reporting period. 

The purpose of this research project is to develop models, 
measures, and techniques for evaluating the’ effectiveness of air- 
craft computing systems. By "effectiveness" in this -context we 
mean the extent to which the user, i.e., a commercial air carrier, 
may expect to benefit from the computational tasks accomplished 
by a computing system in the environment of an advanced commercial 
aircraft. Thus, the 
system performance,' 

must be appropriately integrated in the process of evaluating 
system effectiveness. Specifically, the primary objectives cf 
this project are: 

(1) The development of system models that can 
provide a basis for the formulation and 
evaluation of aircraft computer system 
effectiveness , 

(2) The formulation of quantitative measures 
of system effectiveness, and 

(3) The development of analytic and simulation 
techniques for evaluating the effectiveness 
of a proposed or existing aircraft computer.. 


concept of effectiveness involves aspects of 

/V . 

elaxbility, and worth (value, benefit) which 


J 
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Effort during the reporting period has also been devoted 
to the documentation of research results for dissemination at 
technical conferences and in the open literature. In particular,, 
some definitive results of the first year's activity were sub- 
mitted for presentation at the 8th International Symposium on 
Fault-Tolerant Computing (Toulouse, France, June 21-23, 1978).- 
This paper was accepted and will appear in the Proceedings of 
FTCS-8 [4] Another paper, based on the same work but stressing 

the unification of performance and reliability, has been accepted' 

iwr , . . v . ■ y •" : , - 

for presentation, at the Symposium on Modelling and Simulation. 
Methodology (Rehovot, Israel, August 13-18, 1978) More .recent 
results concerning "functional dependence" (R-dependence)" and 
its implications (see [3] and Section 3.1 of this report) . have 
been presented at the 1978 Johns Hopkins Conference on Informa- 
tion Sciences and Systems (Baltimore, Maryland, March. 1-3, 1978) 
and will be published in the Proceedings of that conference [5] . 

. In addition, a paper focusing on the "performability evaluation 
of fault-tolerant multiprocessors” in a commercial aircraft 
environment has been accepted for presentation at the- 1978 

* , N 

Government Microcircuit Applications Conference (Monterey, 
California, November 14-16, 1978). Finally, a slightly expanded 
version of the FTCS-8 paper [4] has been submitted . for publica- 
tion in the IEEE Transactions on Computers . . • ! 

Section 2 of this report describes the manpower effort 
proposed for the current year, the personnel involved in conduct- 
ing the investigation, and their levels of effort during the 
reporting period. Section 3, the body of the report, describes 


the technical status of the research performed during the 
reporting period. ' • •• 
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3. TECHNICAL STATUS - • ■ . .-I- 

The following is a comprehensive description of the research 
performed during the reporting period. The report is divided 
into three major sections under the headings: ^ \ . 

3.1 Functional Dependence, •; -• .. . ..1. 

3.2 Evaluation Algorithms and Programs. (METAPHOR) 

3.3 Performability Evaluation of the SIFT-. Computer .Iv g 

• Section 3.1, describes our further investigation of the • 

. ":--b • v -sdLv •v^^c-Irc :r: •: v 1 • l f.vt ■ Lz&cr. 

concept of . "functional-, dependence" .(R-dependence) and its- relation 

to “structure-based"; capability functions.' r The results of this -'.-S! 

*• : . PiPjlrii;'.' zo :: - ' oir I • 

investigation include some basic theorems characterizing- 1?./' v ~ r ’Vj^ 

r : ». * ■“ o/*"* .** •'■*;*'* ‘ * * ? j .*■ -* r” •' * . t *• ••»<•*■ r **”' f v" .**-*• ^ ‘z. “* * .v^T *• V- * 

'* *’ *■- • • -' *■ *" *“ •• ■■ .. •• . ~ -V* • •••*■-' •<**' • *». -/• •.*> ; 

R-dependence and R-dependent sets when the index set D is count- ", 
ably infinite. (Similar results obtained during the previous - 
Reporting period [3] assumed a finite index set.) Of more - , . 

prac tical signif igance, however, is the use of these ..basic theorems 
to establish the fundamental limitations of reliability modeling 


that is based on ."structur e f unctions" or, equivalently, their 

rep resentation by ”f ault- trees" . In partic ular , it is shown 
(Theorem 6) tha t any' phased system mod el, wherein the capability ^ 
function can be described by a sequence of structure functions 


(fault-trees) , is characteriz ed by a t ota l absen c e of R-depend ence__ 
among the phases^ (where R is the set of all. state trajectories 
corresponding to system "success"). One of the features of 
performability modeling, on the other hand, is its ability to 


accomodate interphase dependencies, as illustrated in the con- 


clusion of Section 3.1. 
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Section 3.2 reviews our progress in the development of 
METAPHOR, • a prototype software package to aid the evaluation of 
performability . ' This includes a discussion of the objectives 
and abilities of METAPHOR as well as a description of how the 
current implementation of the package is used. Effort has also 
been devoted to producing more detailed documentation of how 
METAPHOR is implemented. This documentation effort is still 
in progress, however, and will be completed during the next report- 
ing period. A full report of this activity will be included in . • 
the next Semi-Annual Status Report. 

Section 3.3 concerns the major part of our activity during 
the reporting period, a relatively comprehensive performability 
modeling and evaluation exercise involving the SIFT computer [8]. 
The computational environment is assumed to be a transoceanic 
flight of a commercial aircraft and the accomplishment set A 
is naturally defined in terms of attributes used by Ratner, et. 
al. [7] to distinguish the "criticalities" of various aircraft 
functions. The capability function y s of the ".total system" 

(SIFT plus its environment) is described in terms of a 3-level 

y 

model hierarchy, where each step of the modeling process is ex- s - 
plained in considerable detail. Performability is then evaluated 
using the basic two-step computational procedure described pre- 
viously (see [3], [4], for example), that is, 

1 ) For each accomplishment level in A, determine 
the set of all state trajectories that result 
in a, that is, determine the inverse image 
U a =Ygl(a), 

2) Using the base model X g , for each. a in A, 
compute the probability of the trajectory 
set U (which is equal to the performability 
value p s (a) ) . 
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Implementation of step 1) is described in more detail than 
it has been in the reports of previous evaluation exercises. In 
both steps, computations were aided by the current version of 
METAPHOR but many of the calculations, particularly in step 1) , 
remain to be automated. This necessitated a great deal of tedious 
manual computation and resulted in computational errors that • 
were^^f ficult to locate. However, the results finally obtained 
appear to be correct since they satisfy several consistancy 
checks* More importantly, we believe that the work described 
in Section 3.3 comprises |a significant step toward establishing 

i •*. • • * ■ *r *v ' 

i * • i ” * « 

the practicality of performability evaluation, .particularly as 
it applies to aircraft computing systems. - 
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3 • 1 Functional Dependence 

During the reporting period , our investigation of the concept 
of "functional, dependence" has continued with an emphasis on i) 
extending the theory to (countably) infinite coordinate sets and 
ii) using the theory, to characterize the limitations of traditional 
structure-based reliability analysis. Although specific results 
of this effort have already been documented in a paper presented 
at the 1978 Johns Hopkins Conference. (see [5]), the discuss-' 
ion that follows links the work of the current period to that de- 
scribed in previous reports and, thereby, serves to clarify the 
progress during the current reporting period. ' * 

3.1.1 Extension of the Definition of R-dependence - 

Prior to the reporting period, the investigation of functional 
dependence or, more formally, "R-dependence" has presumed that the 
underlying index set D (see [3] ,| p. 28, Def. 1) is finite. Al- 
though not stated explicitly in Def. 1, the finiteness assumption 
becomes apparent in Def. 2 (,[31 , p.29) and is used in the proof 
of theorem 4 ([3], p.41). In our current applications of func- 

* \ m 

tional dependence, the index sets D are indeed finite ’since the 
indicies correspond to the decomposition of the state; space into a 
finite number of component spaces and/or the decomposition of the 
utilization period into a finite number of phases. However, we 
anticipate applications where the user will be interested in long- 
run performability, in which case the utilization period may be 
unbounded. In such cases, assuming that each phase has finite dura- 
tion, the number of phases will be countably infinite. To accommo- 
date such situations, we have extended the definition of R-dependence 
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to include infinite index sets and have reexamined the theory 
of Independence in the light of this extension. 

To begin , the system coordinates (whether distinguished in 
time, space, or both) are represented by 1 countable set D, called 
the index set , where, as earlier, we assume that D is totally ord- 
ered relative to some underlying ordering relation. For example, 
if S is a system with n subsystem S^, S 2 , . .., S n and the long-run 
behavior of the system is observed at discrete times t^, , t 3 , ... 

then • , . . ..... 


D - { { (i,j) |i«{l,2, ... ,n} ,j €{1,2,3, . ..}( - - : ■ 

where (i,j) represents subsystem S. observed at time t.. D is then totally 

i 3 

ordered in some convenient way, e.g., by the relation 2 where 


(a ,b) 2 (c , d ) 


if a < 
or a = 


Relative to 'D and some family of sets 


c 

c and b £ d. 


2 = {Q d I a e d } 

indexed by D, the concept of R-dependence is based on the following 
types of sets. 


Definition 1 : A structured set (relative to D and 2 ) is a subset 

of the Cartesian product of the sets in 2 , that is. 


R c‘XQ; 

d£D c 


where the product is taken according to the ordering of D. 


In the context of Definition 1, deD is a coordinate and Q d 
is the range of coordinate d. A set Ccd is called -a co ordinate 
set ; the coordinates in C are subject, to the ordering relation im- 
posed on D. 

When dealing with structured sets it is convenient to refer 
to the values taken on by a particular coordinate or set of coor- 
dinates. If deD, let £ d :R Q d denote the projection of R on d , 

that is, . . 

, /• 

. ■ * * * 

5^ ^^1 r * * • t = r^ . _ 

Extending such projections to coordinate sets: 

Definition 2 : If CcD is a coordinate set where C = {c^ , c 2 /c^ , . . . } 

(c^ is the first element of C according to the ordering of D, 

is the second element, etc.) the projection of R on C is the function 


? c :R * X, Q C 
ceC 

where £ (r) = (E (r) , E (r) , £ (!r),...). If C * <f>(the empty 

c c g c 2 c 3 

set), E^tR {1^} where 1^ is an arbitrary constant. 

For example, suppose D = {1,2,3} with the natural ordering, 
and Q 1 = {0,1}, ieD. Then S {1 , 2} ( (0,1 ,1) ) = -(0,1), and ? {3} ( (1,1, 0) ), 

=. (0). When C is a singleton set{d}, will usually be denoted 


as £ 


d. 


With the above preliminaries and with a slight notational change 
to eliminate some confusion that arose in the previous status report, 
R-Dependence is defined as follows . 


Definition 3 : If R is a structured set (relative to D and^) and 

A, B c d then A R-depends on B (denoted A B) if BveE,. (R) , Bwe^- (R) 

K A x> 
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such that VreR [£g(r) * w implies £ A (r) ^ v] . A is R- independent 
of 3 (A A r b ) A does not R-depend on B. 

The implications of the above definition, when so extended to 
oermit a countably infinite index set D, are examined in the sub- 
sections .that follow. 

3.1.2 Basic Properties 

Regarding A ("R-depends on") as a relation on the set of all 

subsets of the index set D (i.e., the "power set" of D) , we note, , . r 

first of all, that the global properties of A_ are preserved when 

R 

D becomes countably infinite. In particular, as established earlier 

for finite D, we find that A is symmetric but generally neither 

reflexive nor transitive. The symmetry of A R (i.e*. , A A R B implies 

B i A) follows immediately from Definition- 3 for if v and w are 
R 

such that [£„(r) = w implies (r) ^ v] then [£ (r) = v implies 

t R (r) ^ w] . Regarding reflexivity, if C£D it follows that C R-depends 

on C if and only if |£^(R) j > 1. (If |£^(R) | > 1 any two distinct 

elements of ^(R) can serve as the v and w of Def. 3? if j^(R) | =? 1, 

distinct elements u and v;do not exist and, hence, C can not R-depend 

'on C.) ' 

Accordingly, A is generally not reflexive since there may exist 
R 

a coordinate set C for which |£ (R)| = l,i.e., its projection is a, 
constant. On the other hand, in the special case where no such coor- 
dinate sets exist, it follows that k is a reflexive relation. Fin- 

R 

ally, as demonstrated in the previous report using the structured 
set R ={ (0,0,0) , (0,0,1) , (1,0,0), (1,1,1)} (see [3],/p.35), 

1 R is generally not a transitive relation. (This finite example 
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suffices since the generalization to countable index sets D includes 
the special case where D is finite.) 

The alternative characterizations of R-dependence (see [3] ,- 
p. 34, theorem 1) also hold when D is countable, where we have found 
that the "partition characterization" (part iii) of Theorem 1) is 
especially useful. In the interest of clarity, this characterization 
will be restated using the notation of Def. 3, and then proved dir- 
ectly (as opposed to the earlier proof which involved two character- 
izations) . The partition characterization is motivated by the fact 
that the "knowledge" or "information" conveyed by a coordinate set 
C can be regarded as classification of sequences in R, where two 
sequences are in the same class if they have the same projection on 
C. More precisely, if C£D let = c denote the "equivalence kernel" of 
£ , i.e., for all r, seR, r = c s iff £ c (r) - £ c (s), and let ir c de- 
note the partition of R induced by that is, tt c is the set of all 

equivalence classes of =^. Finally, if ve£^(R), let (v) denote 
the "block" of tt c (equivalence class of = c ) determined by v, that is, 
B q(v) = (reR|£^(r) = v}. Then, in terms of these partitions, the 
concept of R-dependence can be characterized as follows. 


* 

j 

.1 



I 

h 

I 


I 


Theorem 1 ; Let R be a structured set indexed by D, and let A,Bcd. 

Then A R-depends on B if and only if 3ve£ A (R) , 3we£ b (r) such that 

B A (v)fl ® B (w) ' = <f>. > 

} 

■ } 

Proof: Suppose A A_ B, and let v,W be as in Definition 3, i.e., ; 

VreR [ £ B (r) = w => £ A (r) ? v] . But £ fi (r) = w « re© B (w), and-£ A (r) f 

v & rgm _ (v) . Hence, VreRfre®’ (w) =» r^®_(v)j which, in turn, im- 
A R A 

plies that ® A (v)n ® B (w) = . Conversely, suppose 3ve£ A (R) , 3we£ B (R) 
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such that B A (v)f1 B 0 (w) = <{>* Then VrsR, whenever re® B (w), it 
must be the case that r/ © A (v) . Therefore, VreR[£ B (r) = w => £ A ( r ) 

1 v] . • 

Theorem 1 thus provides a convenient algebraic characterization 
of R-dependence which, given partitions tt and tt_/ says that A R- 
depends on B if and only if there is a block in tt, and a block in 
which have no elements in common. '■* - 

Using Theorem 1, we can derive additional properties of R-depend- 
ence which are useful when searching for R-dependencies . As was the 

, / t ..... i . ■ 

case for finite D (see[;3J, p. 36 ,_ Lemmal) we observe/ first of 
all, that if A A R B then supersets of A must R-depend on supersets 

of B, that is: ' 

-- 

\Theorem 2: Let A,B£D. If A A„ B then, VA’sA and VB’2B_.such that 

■■■' ■ — ~~ * K, *■ 

A' ,B'£dJ|- A' •• A r --B ' . ' ' • 1 

Proof: Suppose A A^ B and let A’BA, B'BB. Then 3ve^ (R) , 3we^ D (R) 

such that 'B _ (v) f! EB „ (w) = <j> . For any A* BA, it follows immediately 
A B 

that tt _ r refines tt,, i.e., each block in rr ^ , is a subset of some 
A A\ A’ 

block in rf . Hence 3v 1 e? a , (R) such that B A , (v ’ ) A (v) , and 3w'e£ B ,.(R) 

such that B3 B , (w')£B B (w) . As ® A (v)n^ B (w) = <*> , we have ® A , (v)fl 

St,,(w') = 0 and therefore A' A n B*. 

B B 

Theorem 2, which says that dependence is preserved by supersets, 
has the following "dual" statement which says that independence is 
preserved by subsets, that is: 

Theorem 3 : Let A,BQD. If A / R B then, VA'ca, VB*£B, A'-/f R -B'. 

Proof: Suppose to the contrary, i.e., there is a subset A' of A 
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and a subset B' of B such that A 1 A_ B’. Then, by Theorem 2, A B. 

« ■ R 

contradicting the assumption that A /( B . 

The utility of Theorems 2 and 3 is that additional dependencies 
and independencies can be inferred from those .already known. Finally, 
as observed earlier for finite index sets (see [ 3 } , p. 39 , Theo- 
rem 3) , the notion of R- independence, that is, the complement of 
the relation A , is closely related to the notion of a Cartesian 
product. More precisely, ‘ ..." ... 

Theorem 4: Let A, BCD be disjoint coordinate sets, and let ilf (R) 

r „ AUB 

? A (R) x ? b ( r ). be a mapping such that VreR Et (? AUB (r) ) = .(? A (r), 
? B (r))] . (Such a map \Jr always exists and is unique.) Then A / B 
if and only if >M 5 AUB ( R )) = ? A (R) * ^ B ( R ) • 

Proof: Suppose A a„ B. It suffices to show that \Jr is -onto. Let 

X\ 

ve? a (R), we? (R) . By the definition of R- independence, 3reR[? TJ (r) = w 

and ? A (r) = v] . Accordingly ^(? AUB (r))= (? A (rj, ? B (r)) = (v,w) . 

Conversely, suppose a|/ is onto. Then. Vve? (R) and Vwe? (R) , 3reR[^ 

' ^ JTi 15 

(?AUB^ r ^ = ’ Hence, 3reR[? B (r) -wand? A (r) =v],i.e. , 

A S. ' . ' ■ 

An even stronger link between functional independence and Car- 
tesian products is developed in the following subsection. 

3.1.3 R-dependent Coordinate Sets 1 

When examining the nature of a structured set R, it is often 
convenient to identify coordinate sets C (C£D) for which R-depend- 
encies exist among the subsets of C. In the terminology of general- 
ized dependence relations ( see [Naylor] ) , such a set C is referred 
to as being "dependent" (in itself). When C is finite, this concept 


I 




-15- 

can be defined rather naturally, as was done during -the previous 
reporting period (see [3], p. 37, Def. 5). However, when 
C is infinite (which is now a possibility since D may be infinite) 
the choice of an appropriate definition of "self-dependence" is 
less clear. On examining the alternatives, our choice was dictated 
by the desire to have a constructive test for R-dependence, even 
when C is infinite. Accordingly, the notion of self-dependence 
is formally defined as follows. ' * ' ' "V 



Definition 4 : If R is a structured set indexed by ,D and CSD then 

C is R-dependent if there exist finite sets A,BG.C with Af!B = <f> such 

that A A„ B. C is R-independent if C is not R-dependent. 

K — — * — ~ 

The requirement that the subsets A and B be' finite provides 
the kind of constructive test referred to above. This is analogous 
to what is done in linear algebra where a dependent set of vectors 
must contain a finite subset for which some linear combination yields 
the zero vector of the space. The requirement that AflB = 4> insures 
that C is not regarded as R-dependent simply because some subset of 
C depends on itself . 4 

Applying Theorem 4, an R-independent set C can be characterized 
in terms of the algebraic structure of £ (R) as follows. (This 
characterization reduces to Theorem 4, p.41 in [3] when D is 
assumed to be finite.) 

Theorem 5: If R is a structured set indexed by D and CcD, then C 

is R-independent if and only if £ (R) = X ? d (R) - 

u deD 

Proof: Suppose that (R) - X <R) . Let A and B be finite dis- 

- L dsC 

joint subsets of C. Then £ (R) = X (R) (R) = . X £-,(r) and 

A deA d B de B Q 
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? an n( R ) " X £ j (R) - Let ^ be the unique coordinate mapping 

AUB deAUB d 

described in Theorem 4. Then (5 AUB (R) ) = ( X (R) ) = 

deAUB d 

( X 5^(R)) x ( X C^(R)) = ? A (R) x -5g(R)* Thus by Theorem 4, 
deA dsB 

A / R B. Since this is true for arbitrary, finite, disjoint sets 

A,B£C, this implies that C is R-independent. Conversely, suppose C 

is R-independent, that is, for all finite sets A, BGC such that 

ARB = 4> , A A„ B. Relabel the elements c, , ..., c , ... of C as 1, 

R 1 m 

— , m, ... . Then, in particular, {1} A R {2}. Applying Theorem 
4 with A = {1} and B = {2}, 2 }^ R ^ " x ^2 ^ Because ... 

1 is the first coordinate in C, ^ is just the identity function, 

that is,tU {1/2 } (R)) = ^{1,2} (R) = ? 1 (R) X ? 2 (R) * Now take A = 
{1,2} and B = {3}. Then {1,2} A R {3} so t(? {1/2 ,3} (R) > = " 

^{1 2 3}^ R ^ = ^{1 2} ^ R ^ x ^{3} ^ by Theorem 4... Once again. is 
just the identity, so 2 2 }(R) = ^ {1 2 } ^ R ^ x £3 (R) ''~ an< ^' ky sub- 
stitution, 2 3 }^ = £q(R) x ? 2 ^ X ^3 (R) * Continuing in this 

fashion, we can conclude that £ (R) = X (R) • 

L deC Q 

Corollary : If R is indexed by D then D is R-independent if and 

only if R is a Cartesian product, that is, R = X K r, (R) . 

deD a 

The "if" part of the corollary says that, whenever R is Cart- 
esian, the index set D must be completely free of R-dependencies 
(in the sense of Definition 4) , as one would expect given the orig- 
inal definition of R-dependence (Definition 3). The "only if" part 
is a little more surprising in that the absence of R-dependencies 
among finite subsets of D (even when D is infinite) guarantees that 
D will have the simple structure of a Cartesian product. 
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3.1.4 Characterization of Structure-based Cap ability 

In addition to the above extension of the theory of in- 
dependence, we have explored the role that R-dependence plays in 
performability evaluation and, particularly, how this concept might 
be used to distinguish basic differences between performability 
modeling (as developed under the subject grant) and traditional 
reliability modeling. During the previous reporting period, using 
an example wherein success was identified with a minimum allowable 


average throughput ( i . e . , the capability function designated y 3 in 


example 1, pp. 18-20 of [3]), it was argued that . capability 
functions are more general than the "structure functions" ' 
of phased-mission reliability modeling [9] . . (A somewhat more de- 
tailed version of this argument appears in | [ 4 ] - ) ■ During 
the reporting period, however, we have found that the inherent 
limitations of structure functions can be much more clearly and 
precisely characterized via the concept of R-dependence. 


To establish this characterization, suppose X g is a base-model 


with state space Q and one is more interested only in. the reliability 
of tha system, that is, the accomplishment set is A = {0,1} (where 
1 denotes " success" and 0 "failure"). Then, extending the notion 
of a "structure-based" capability function (see [3], . p.17) to 

include "phased missions" (see [9]);, a capability function 


Y s is structure-based if there exists a decomposition of T into k 


, T,_ and there exist functions 


consecutive time periods T-,, T 2 , • .., 

cp.^, <p 2 , ..., cp^with cp ± :Q-{0,1} such that, for all ueU, 


Yg (u) = 1 if <p i (u (t j ) = 1, 


for all ia { 1 , 2, k} and for all teT. In the context of phased 
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mission analysis, is referred to as: the i th phase (of the 

• ' +*ln 

mission) and <p^ is the structure function of the i phase. Assum- 
ing further (as does phased mission analysis) that <p^(u(t)) = 1, 
for all t e T ± , whenever (p ± (u(t i )) = 1 where t ± is the end of T ± , the 
trajectory space U can be represented by the Cartesian product U = 

jr - 

Q . Accordingly, if u = (q x , q 2 * •••/ q k > / then Y s (u) = 1 iff 
(p-fq..*) = 1/ for all ie {1, 2, ..., k}. Hence usy c - 1 (1) iff €.;(u)ecp.’ 
for all iefl, 2, k} and we conclude that the set R = y _1 (1) 

of "success trajectories" is also Cartesian, i.e.. 


R= X <P i 1 (l). 
i-1 


■Conversely, whenever a capability function YgiQ -*{0,1} is such 
that R = Yg ^(1) is Cartesian, it admits to a structure-based formu- 
lation by choosing each tp^ such that <p^(q) = 1 iff qe£^(R). Appeal- 
ing to the corollary of Theorem 5, we have proved: 


Theorem 6: 'Let S be a phased system with trajectory space u = Q K * 

■- . ■ - ! 

and capability function y s :U -*{ 0>1}* Then is structure-based if \ 

. * I 

and only if the set of all phases D = {1, 2, . .., k} is R-independent, | 

-i ■ ' : ' 

where R = y c (1) « - ' | 

In other words, the absence of R-dependence between phases char- j 

. I 

c 

acterizes structure-based capability functions and, accordingly, • 

f 

reveals the inherent limitations of structure-based reliability analysis. 

. ■ ’ - i 

Performability analysis, on the other hand, can accommodate inter- 

I 

phase dependencies, as demonstrated by the following example. .. > 

i 

Suppose S is a multiprocessor system with three processors ‘ 

. ■? 

where the performance in question is the average throughput (Th ) 

av ? 

of the system. Suppose further that the processors -are identical. 
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so that the processing rate of the system is determined only by the 
number of fault-free processors. More precisely, let us suppose 
that the state set of the base model is Q = {0,1,2} where the states 
in Q have the following interpretation: 

0: all processors fault-free 

1: one processor faulty 

2 : two or more processors faulty 

Suppose further that, relative to a maximum throughput (processing 
rate) x, the throughput associated with each state is as follows: 

State Throughput 
• 0: x . 

1 : x/2 

2 : 0 . 

If the utilization period is divided into phases of equal duration 
and we 'make the pessimistic assumption that the loss of a processor 
during a -phase will affect the throughput to the same degree as the 
loss of a processor at the beginning of that phase, then the traject- 
ory space of the base model is represented by the set 

u = { (q 1 ,q 2 ,q 3 ) !q i sQ> 

where q^ is the state of the system at the end of phase i. For 

the user oriented model, suppose that the accomplishment set is 

A = {a ,a,,a~} where a n corresponds to Th > 5 t/ 6 , a. corresponds 
o J. z u av x 

to 5 t/ 6 > Th > x/2, and a~ corresponds to Th < x/2. Then the 
av z av 

capability function Xq is given by: 


(0,0,0) 

(0,0,1) 

(0,0,2) 

(0,1,0) 

( 0 , 1 , 1 ) 

( 0 , 1 , 2 ) 


( 2 , 2 , 2 ) 


To illustrate interphase dependence, suppose 'we know that the 
accomplishment level is a^ and let R = Y _1 (a 0 ) = {(0,0,0), (0,0,1), 

(0,1,0),' (1,0,0)}. If UeR and we know that = i, then we can 

infer that q 1 ^ 1. Thus, knowledge of the' state of the system at 
the end of the second phase has increased our knowledge about the 
state of the system at the end of the previous phase. More formally, 

in terms of Def. 3, if A - {1}, B = {2} then v - 1 and w = I, guarantee 

that {1} h {2}, i.e., phase 1 R-depends on phase 2. 

.K, 

In general, we have found that such temporal functional depend-, 
•encies arise quite naturally when accomplishment levels are associated 
with user-visible performance. Of particular importance is the fact 
that such dependencies arise in the context of aircraft computer per- 
formability evaluation, as was observed during the prototype model- 
ing and evaluation exercise conducted during the previous period 
(see [3] , pp. 169-170) . Further evidence of this fact has been 
revealed by the work of the current reporting period where, in eval- 
uating the performability of the SIFT computer (see section 3.3 of 
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this report) , we have found that there is an extensive amount of 
interphase dependency and, indeed, more than we had originally 
anticipated. *- 
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3.2 Evaluation Algorithms and Programs (METAPHOR) 

Concurrent with the development of performability models, 
concepts, measures, and measure formulations, we have proceeded 
with the development of evaluation algorithms and prototype 
evaluation tools for the purpose of investigating the 
feasibility of our overall approach. In particular, we are 
referring here to the software package called METAPHOR (Michigan 
Evaluation Aid for Per phorm ability) , whose development was 
initiated during the previous reporting period (see [3], Section 
3. 5. 8,1). The following sections discuss this package and the 
tools it contains. Detailed documentation of METAPHOR is 
currently in progress and will be included in the next Semi- 
Annual Status Report, Section 3.2,1 expands upon th'e objectives 
and abilities of METAPHOR, while Section 3.2.2- describes its 
use. Finally, Section 3,2.3 examines the internal structure of 
METAPHOR.. 

3.2.1 Objectives and Abilities 

We envision METAPHOR as ultimately containing all the 
programmed tools necessary to realize a complete performability 
evaluation. These include aids for a) constructing the model 
hierarchy, b) determining the interlevel translations and their 
inverses, c) determining the base model trajectory sets 
associated with accomplishment levels , and d) evaluating the 
probabilities of these trajectory sets (i.e., the sets •y"''*'(a} 
for each aeA) . In addition, because of METAPHOR'S ability to 
provide instruction via devices such as the HELP command, we 
view METAPHOR as a performability evaluation tutor. 

Of the above tools, METAPHOR currently contains substantial 
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elements of the last two, i.e,, routines to calculate the 
probabilities of trajectory sets in addition to some tutorial 
capabilities. That is, once the analyst has derived the 
interphase and intraphase transition (P and H) matrices along 
with the corresponding trajectory sets of each accomplishment 
level, METAPHOR can then be used to calculate the probability of 
each accomplishment level. Presently, METAPHOR also has the 
ability to compute certain classes of transition matrices given 


such information .as the structure of the components (e.g., \ -• 
whether computer modules are connected in a Triple Modular 
Redundant (TMR) fashion) , and the failure rates of those 
components and the duration of the phase. 

METAPHOR'S tutorial facilities are based on an' extensive 
repertoire of replies to HELP requests, along" with preprogrammed 
series of questions relating to specific topics. This last 
feature is' intended to aid a person who is learning to use the 
evaluation programs . 


3,2,2. Use of METAPHOR 

\ 

This section contains a summary of the commands and options 
currently implemented in METAPHOR. These are HELP, BRIEF, ECHO, 
EXIT, DATA, ALTER, GIVEN, DEDFAIL, NFAIL , IDENTITY, COM, and 
CALC. More detailed documentation of these items is currently 
in progress and will be reported in the next Semi-Annual Status 
Report , 

When METAPHOR is first run, an initial heading is printed, 
followed by a prompt sign: 


-24- 


METAPHOR 

MICHIGAN EVALUATION AID FOR PERPH0RI4ABI LITY 
VERSION 2 
5/78 

TYPE HELP FOR ASSISTANCE 

□ : 

The quad followed by a colon is the prompt symbol 
indicating that METAPHOR is ready for some form of input. Three 
types of input may be entered. In response to most questions, 
numerical data is required, while a few questions need a yes/no 
type answer. The third type of input encompasses the command 
language of METAPHOR, Commands may be entered at any time, even 
in response to questions, (The present version does not 
recognize commands in answer to a yes/no question,) After 'the- 
command is executed, the initial question is repeated -(if 
appropriate) , 

If the user needs further assistance at some point in the 
program, he can enter HELP, This prints an explanation of what 
to do next or a brief discussion of the idea or concept 
currently being utilized. Also, if the user desires, a list of 
references concerning that idea or concept is printed. For 
example, if METAPHOR asks what type of interphase transition 
matrix is required, the user may type HELP to learn that four 
options are available: GIVEN, DEDFAIL , NFAIL, and IDENTITY. 
Further information, if requested, describes each option in 
detail . 

Two commands are useful when supplying input from a source 
other than the user terminal (e„g., input from a disk file or 
from cards in batch mode) . These are BRIEF and ECHO.' BRIEF is 
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used to suppress all output except the final results, while ECHO 
is employed to repeat the user supplied input. The conditions 
are activated by entering ECHO ON, ECHO OFF, BRIEF ON, or BRIEF 
OFF. The default is BRIEF OFF, ECHO OFF. 

At any time, the'program can be halted by entering EXIT, 
This causes an immediate termination of the program; it cannot 
be restarted . . 

Evaluation of trajectory set probabilities is accomplished 
using the EVAL command. This command initiates a sequence of 

• • -i . t ■ • 

.. .. •. ' ' ‘ >i . 

queries by which METAPHOR receives a description of the 
trajectory sets and related items describing METAPHOR 

asks the following questions: 


1) How many phases? 

2) How many states in each phase?' 

3) What are the intraphase transition matrices (P) 
for each phase? 

-.^4) What are the interphase transition matrices (H) 

" ’ „ for each phase? 

5) How many time-invariant variables? 

6) ' What is the probability distribution of each time- 

invariant basic variable? 

7) For each accomplishment level: 

a) How many Cartesian trajectory sets? 

b) For each Cartesian trajectory set: 

i) What is the initial state vector 
(I)? 

ii) What are the main diagonals of the 
characteristic matrices (G)? 

iii) What is the characteristic vector 
(F)? 

iv) What are the values of the time- 
invariant basic variables? 


METAPHOR calculates the probability of each trajectory set 
"on the fly," i,e., as each Cartesian component is entered, its 
contribution to the overall probability is determined; the 
trajectory set is then discarded. (This method reduces the 
amount of storage n- •Tory to perform the calculations.) The 


result in the form of a list (performability spectrum) is then 
printed. Also, if the result does not sum to 1, an error 
message is printed. 

Currently, four types (or classes) of intraphase matrices 
(P) and two types of interphase matrices (H) can be entered., 

For the P matrices, these are GIVEN, IDENTITY, NFAIL r and 
DEDFAIL , while for the H matrices, either GIVEN or IDENTITY can 
be specified , * 

1 ‘ • " : 1 * l 

GIVEN allows the user to input a matrix row by row, 

IDENTITY automatically generates an identity matrix of the 

*y • . • ■ ' •' • V • '> - 

proper size, ; *• 

DEDFAIL and NFAIL compute transition matrices for an 
special types of systems. Each assumes that the structure of 
the system is described in terms of "components'' where„_the state 
of each component is either "operational" or "failed," Both 
DEDFAIL and NFAIL assume that all components are alike and fail 
independently with the same constant failure rate. Finally, 
components are assumed to fail permanently, i,e,, once a 
component has failed, it remains failed for the duration of the 
phase. The difference between the two lies in how the states of 
the system are defined in terms of component status, DEDFAIL 
keeps track of each component in the system, i.e., whether a 
given component is operational or failed can be deduced from the 
state of the system. In METAPHOR, the most important use of 
DEDFAIL is in modeling a system wherein each component (e,g., 
processor) is dedicated to a different task (hence the name 
DEDFAIL), In such situations, the processing capability 
generally depends on the state of each component and hence the 


system state must convey the state of each component. 

NFAIL, on the other hand, assumes that the components of 
the system are lumped into groups. NFAIL then keeps track only 
of the number of components which are operational within each of 
these groups. For instance, if two tasks and four processors 
are configured such that two processors are executing each task, 
then failure of either processor assigned to a given task will 
have the same effect on system performance. Accordingly, 
processors sharing the same task can be lumped, resulting in 2 
groups with 2 processors per group. "NFAIL is equivalent to 
DEDFAIL when NFAIL has n groups of 1 element each. * ■ ’ : 

If at any time the user wishes to know what value METAPHOR 
has assigned to some variable, or if the user wishes to change • 
the value of some variable, then the commands DATA or ALTER may 
be employed. DATA causes two lines of abbreviations to be 
printed' as below: 

□ : 

DATA 

PUT 'AN X BELOW EACH ITEM- TO BE DISPLAYED. HELP AVAILABLE. 

HUM. PHASES NUM. STATES P H NUM .CONST .BAS .VARS PROB . CONST. BAS . VARS 
X X 

NUM. ACC .LEVELS NUM .TRAJ .SETS I G F V PERE 
X x 

The user places an X below the items he wishes to display. Each 
item is printed so long as it has been defined, otherwise a 
warning is given stating that the item has not been defined. 

The above abbreviations should be straightforward; note that 
time-invariant basic variables are referred to as "constant" 
basic variables (CONST, BAS, VARS) , "NUM" stands for "number of," 
while "ACC" for "accomplishment," and "TRAJ" for "trajectory," 

V is the vector characterizing the time-invariant basic 


variables 


ALTER operates in a manner similar to DATA. One line of 

abbreviations is presented: 

□ : 

ALTER ' ' ‘ '' 

PUT AN X BELOV EACH ITEM TO BE CHANGED. HELP AVAILABLE. 

P H CONST. BAS. VARS ALL. ACC .LEVELS PRESENT .ACC .LEVEL I G F V NUM.TRAJ .SETS 
X X 

Again the user places an X below each item to be changed. This •. 
command is particularly useful if an error is made while 
entering data. . • • . , - V- - .r 

Two other .commands are available. COM allows the user to 
enter lines of text as comments. METAPHOR will prompt each line 
with "***", after which any characters may be typed. Giving a 
carriage return with no characters (a null line) ends the 
comment section. CALC allows the user to utilize the APL 
calculator mode. Each line will be prompted by a question mark, 
a quad and then a colon as follows: 

□ : 

• CALC 

? ' 

□ : - 

The user is advised not to employ assignment statements (such as 
A < 6) , since the names of variables chosen may interfere with 
names of variables internal to METAPHOR. When in CALC mode, 
typing EXIT returns the user to his previous status, i.e., the 
state of the program before CALC mode was entered. 

Figures 1-2 give sample METAPHOR sessions. 
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MICHIGAN EVALUATION AID FOR PERPHOM ABILITY 
VERSION 2 
5/78 


2TPP PELP FOR ASSISTANCE 
ECHO ECHO ON 
□: EVAL 

NUMBER OF PHASES? 

□ : 2 

NUMBER OF STATES PER PHASE? (SPACE BETWEEN EACH NUMBER ) 
□ : 3 2 v 


SPECIFY THE P MATRICES FOR EACH PHASE, 1 PHASE AT A TIME 
PHASE 1: ' 

WHAT TYPE OF P MATRIX? 

□: NFAIL 

•ENTER PHASE LENGTH 

□ : 10 

ENTER COMPONENT FAILURE RATE 

0 : 0.0001 • 

ENTER NUMBER OF GROUPS 

□: 1 

ENTER NUMBER OF COMPONENTS PER GROUP (SPACE BETWEEN EACH NUMBER) 
□: 2 ' . ’ 

PHASE 2: 

\ 

WHAT TYPE OF P MATRIX? ' ■* V 

□: DEDFAIL 

ENTER PHASE LENGTH 
□ : 5 

ENTER COMPONENT FAILURE RATE 

□: 0.0001 - 


SPECIFY THE H MATRICES FOR EACH PHASE, 1 PHASE AT A TIME 
PHASE 1-2 : 

WHAT TYPE OF H MATRIX? 

□: GIVEN 

ENTER THE MATRIX , 1 ROW AT A TIME 


FIGURE 1 

Sample METAPHOR Session 
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ROW 1: 

0 : 1 0 
ROW 2: 

□ 1 0 
ROW 3: 

□ : 0 1 

NUMBER OF CONSTANT BASIC VARIABLES? 
□ : 1 


OF. POOR QUALITY. 


PROBABILITIES OF EACH CONSTANT VARIABLE? ( SPACE BETWEEN EACH NUMBER) 

□ : 0.001 v •• 

NUMBER OF ACCOMPLISHMENT LEVELS? ' ' . . 

□ : 3 ’ . ; 

ACCOMPLISHMENT LEVEL 0 •• 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? . , “ — A 

□ : 1 . 

TRAJECTORY SET 1 

ENTER THE I VECTOR ( SPACE BETWEEN EACH ENTRY): ; 

□ : 1 0 0 
PHASE 1: 

ENTER THE G DIAGONAL ( SPACE BETWEEN EACH ENTRY) : . . 

□ : 1 0 0 ‘ 

ENTER THE F VECTOR ( SPACE BETWEEN EACH ENTRY) : — — 

□ : 1 0 

ENTER THE 1 ELEMENT CONSTANT BASIC VARIABLE VECTOR ( SPACE BETWEEN EACH ENTRY) 
□ : 0 

ACCOMPLISHMENT LEVEL 1 ; 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? 

□ : 2 ' 
TRAJECTORY SET 1 ■ 

ENTER THE I VECTOR < SPACE BETWEEN EACH ENTRY) : 

□ : 1 0 0 

PHASE 1: . 

ENTER THE G DIAGONAL ( SPACE BETWEEN EACH ENTRY) : 

□ : 0 1 0 

ENTER THE F VECTOR ( SPACE BETWEEN EACH ENTRY) : 

□ : 1 0 

ENTER THE 1 ELEMENT CONSTANT BASIC VARIABLE VECTOR ( SPACE BETWEEN EACH ENTRY) 
□ : 2 

TRAJECTORY SET 2 

ENTER THE I VECTOR ( SPACE BETWEEN EACH ENTRY ) : 

□ : 1 0 0 
PHASE 1 : 

ENTER THE G DIAGONAL ( SPACE BETWEEN EACH ENTRY) : 

□ : 1 0 0 

ENTER THE F VECTOR ( SPACE BETWEEN EACH ENTRY ) : 

□ : 1 0 

ENTER THE 1 ELEMENT CONSTANT BASIC VARIABLE VECTOR ( SPACE BETWEEN EACH ENTRY) 

r: . , 

LJ : 1 . ’ 


“FIGURE 1 (Continued) 
r:le METAPHOR Session 
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ACCOMPLISHMENT LEVEL 2 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? 

□ : 1 

TRAJECTORY SET 1 

ENTER THE I VECTOR ( SPACE BETWEEN EACH ENTRY ) : 

□: 1 0 0 . 

PHASE 1 : 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY) : 

□ : 1 1 1 

ENTER THE F VECTOR (SPACE BETWEEN EACH ENTRY ) : 

□ : 0 1 

ENTER THE 1 ELEMENT CONSTANT BASIC VARIABLE VECTOR ( SPACE BETWEEN EACH ENTRY) 
□ : 2 


PERFORM ABILITY FOR THIS MISSION 0.0009975031224 0.9985016234 0.000500873522 







fTGURE 1 (Continued) 
'.ole METAPHOR Session 
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METAPHOR 


MICHIGAN EVALUATION AID FOR PERPHORM ABILITY 
VERSION 2 
5/78 


TYPE HELP FOR ASSISTANCE 

□ : 

COM 

*** 

*** FIGURE 2 DEMONSTRATES SOME OF THE UTILITY 

*** FUNCTIONS AVAILABLE IN METAPHOR 

*** . . ✓ 


HELP 

METAPHOR IS AN INTERACTIVE SOFTWARE PACKAGE AIDING THE MODELING 
AND ANALYSIS OF PERFORMABILITY . AT PRESENT , METAPHOR IS CAPABLE 
ONLY OF EVALUATING CERTAIN PERFORMABILITY MODELS. 

THE COMMANDS PRESENTLY AVAILABLE ARE: EVAL,HELP , DATA , ALTER, CALC 

.. COM , BRIEF lON\OFF ~] , ECHO tON\OFF ], AND EXIT. *' 

DO YOU WANT MORE HELP? ■ 

□ : • ' 

NO 

□ : 

EVAL 

NUMBER' OF PHASES? 

□ : 

2 " 

NUMBER OF STATES PER PHASE? ( SPACE BETWEEN EACH NUMBER ) 

□ : 

1 2 - -■ 


SPECIFY THE P MATRICES FOR EACH PHASE , 1 PHASE AT A TIME 
PHASE 1 : 

WHAT TYPE OF P MATRIX? 

□ : 

HELP 

TYPE ONE OF: GIVEN , DEDFAIL , NFAIL, IDENTITY 

DO YOU WANT MORE HELP? 

□ : 

NO 

WHAT TYPE OF P MATRIX? 

□ : 

NFAIL 


FIGURE 2 

.-pie METAPHOR Session * 
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EUTER PHASE LENGTH 
□ : 

2 

ENTER COMPONENT FAILURE RATE 
□ : 

1 

1 IS LARGE FOR A FAILURE RATE. DO YOU WANT THIS VALUE? 

□ : 

NOPE 

ENTER COMPONENT FAILURE RATE 

□ : • 

.001 

ENTER NUMBER OF GROUPS 
□ : 

DATA • • , 

PUT AN X BELOW EACH ITEM TO BE DISPLAYED. HELP AVAILABLE . 

NUM. PHASES NUM. STATES P H NUM .CONST .BAS .VARS ■ PROB . CONST .BAS. VARS 
X ■ X X ■ X 

NUM. ACC. LEVELS NUM. TRAJ. SETS I G F V PERF . . ■ 



NUMBER OF PHASES IS 2 

NUMBER OF STATES PER PHASE IS 1 2 

P MATRICES HAVE NOT BEEN DEFINED 

THE CONSTANT BASIC VARIABLES HAVE NOT BEEN DEFINED 

THE NUMBER OP ACCOMPLISHMENT LEVELS NOT DEFINED- 

PERFORM ABILITY NOT DEFINED . - 

ENTER NUMBER OF GROUPS . ■ . 

□ : 

ALTER 

PUT AN X BELOW EACH ITEM TO BE CHANGED. HELP AVAILABLE. . 

P H 'CONST. BAS. VARS ALL .ACC .LEVELS PRESENT . ACC . LEVEL I G F V NUM .TRAJ .SETS 
X- X 

P MATRICES ARE NOT DEFINED AT THIS TIME. 

THE ■ ACCOMPLISHMENT LEVELS ARE NOT DEFINED AT THIS TIME. 

THE NUMBER OF TRAJECTORY SETS IS NOT DEFINED AT THIS TIME. 

□ : ' - 
EXIT 


FIGURE 2 (Continued) 


Sample Metaphor Session 
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3.2.3 Internal Structure 

This section presents a brief overview of the way METAPHOR 
operates internally. Currently, METAPHOR is in its second major 
version. It is written in APL and contains approximately 2000 
lines of code. The package is highly modular, with about 60 APL 
functions (somewhat analogous to FORTRAN subroutines) , Figure 3 
lists the currently available functions. 

Although APL does not lend itself readily towards •' 
structured programming, a substantial effort was made to make 
the package easily readable and maintainable. Thus/ for 
example, specific conventions regarding the names of functions, 
variables, and labels have been established. 

Various methods of control and information exchange among, 
the various functions are employed. For instance, there is a 
versatile input function which determines whether the item (or 
items) -entered by the user is a command or data. If a command 
is given,, the proper corresponding functions are then called. 

If data is given, a check is made to insure that it is of the 
correct size. Other functions check to see if the data is 
consistent, e.g., if a probability distribution is to be input, 
then it must sum to one. Some of the user assistance commands, 
namely HELP,’ ALTER, and DATA, have somewhat involved control 
mechanisms. For example, METAPHOR must be aware of which 
function it is executing in order to correctly respond to HELP 
requests. 

More complete documentation of METAPHOR'S internal 
structure is currently underway and will be included in the next 
Semi-Annual Status- Report. 
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Main Functions 

METAPHOR 

DECLAREMETAPHOR 

METINFO 


Command Functions 

COMM ANDALTER 

COMMANDBRIEF 

COMMANDC ALC 

COMMANDC OM 

COMMANDDATA 

COMMANDECHO 

COMMANDEVAL- . • • • 

COMMANDHELP 

J ' ' 

Command Support Functions 

BRIEF 

ECHO 

GETALTERVECTOR 
GAV IN FO 
GETDATA VECTOR 
GDVINFO 


Command EVAL Implementation 
Functions 

GBTN.UMPHASES 
GNPINFO ^ 

" ETSTATES 
GSINFO . 

GETPMATRICES 
GETHMATRICES 
3ETNUMBASIC VARIABLES 
1NBV INFO 

v'ETBASIC VARIABLES 

G3VINF0 

CSTNUMACCLEV 

GNAINFO 

GETPERF 

I CJTPERFORMABILITY 
Matrix Generator Functions 


GGINFO 

GIDENTITY 

GNFAIL 

GNINFO 

Trajectory Set Evaluation 
Functions 

GETACCLEVPROB 
GETNUMTRAJSETS ' 
GNTSINFO 
GETIVECTOR 

GIVINFO • ' ... 

GETGMATRICES 
GGMINFO 
GETFVECTOR 
- GFVINFO \ .. 

GETWALUES 

GVVINFO ■ . •/. 

CALCTRAJPROB 

I/O and Checking Functions 

INPUT 

INYES 

CHECKBIN 

CHECKPOSI 

CHECKPROB 

CHECKTRI 

PRINT 

PRINTQUAD 

APL Support Function 
ENCODE 


GEN ERATEH MATRIX 
GHM INFO 

GENERATEPMATRIX 

GPMINFO 

GDEDFAIL 

GDINFO 

GGIVEN 

FIGURE 3 

Curre'.'." ■ available METAPHOR functions 



3,3 Performability Evaluation of the SIFT Computer in an Air 

Transport Mission 

During the reporting period, we have completed a relatively 
comprehensive performability modeling and evaluation exercise 
involving the SIFT computer [8] as it might operate in the 
environment of a transoceanic air transport mission. In 
carrying out this exercise, we have attempted to strike a . . 
balance between simplicity and reality that permits all aspects 
of the methodology to be demonstrated in the context of a 
meaningful evaluation problem. In particular, reality was 
stressed in the construction of higher level models, where our 
assumptions are based on the study of computational requirements 
made by R, S. Ratner, et al, [7], Simplicity was stressed in 
our choice of a bottom level Markov model of the SIFT computer 
(similar to ''Model I" used by SRI; see [8], p. 151) in order to 
reduce the complexity of the performability calculations. 
However, more realistic bottom models (e,g,, SRI "Model IV") are 
compatible with the remainder of the hierarchy and could replace 
the simpler bottom model. 

The description of this effort is organized as follows. 
First, the performance model (accomplishment set), two upper 
level models (mission level and aircraft functional task level) , 
as well as the interconnections between them, are presented in 
Section 3,3,1, Section 3,3,2 then introduces the bottom model : 
of the SIFT computer and describes the interlevel translation 
between it and the functional task level. Both the algorithm by 
which tasks are allocated to the computer as well as a Markov 
model describing the hardware are discussed. Derivations of the 
bas'e model trajectory rets (associated with each level of 
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accomplishment) are described in Section 3.3.3, and derivation 
of computer model transition matrices is described in Section 
3,3.4, Finally, the numerical results of the evaluation 
exercise are presented in Section 3.3.5. 

3.3,1 Higher Level Models ' : 

i " 

„ ^ ...» » Vi - * 

, «•’ '-'i 

3 . 3 . 1 . 1 Performance Model ' 

* • ' , _ \ * 

The total system S = (C, E) considered is the SIFT computer 
C operated in the environment E of a transoceanic flight of a 
commercial aircraft. The mission of the total system can be 
characterized as follows: 

"Transport passengers between two points (separated by 
an ocean) with safety, with no significant change 
of mission, with no significant operational 
penalties or stress on crew or Air Traffic 
""•x. Control, and with no significant economic 
penalties." 

Examining this statement in more detail, total system 
performance can be described in terms of four attributes: 
safety, no change in mission profile, no operational penalties, 
and no economic penalties. Attributes similar to these have 
been used' by Ratner, et al. [7] to distinguish the 
"criticalities" of various aircraft functions. To determine the 
accomplishment set A for the performance variable Y g , we 
assume that safety is the most important attribute, i.e., safe 
flights have the greatest worth, the remaining attributes being 
worth successively less^in the order they are listed above. 

These assumptions agree. with the "reliability requirements” (see 
p] , p.7) associated vith corresponding criticality levels. We 
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assume further that safety is worth considerably more than no 
change in mission profile, which in turn is worth considerably 
more than no operational penalties, etc. Thus, for example, if 
there is a change in mission profile (i.e., loss of the 
attribute "no change in mission profile") then the presence or 
absence of lower worth attributes (i.e., "no operational 
penalties" and "no economic penalties") will have a negligible 
effect on the worth of the mission outcome. 

With the above assumptions, the following set suffices to 
describe the relevant levels of accomplishment: t 

A = {a Q , ^2' ^4^ • , 

where each level has the following general definition: 

aQ = no economic penalties, no operational penalties, no 
change in mission profile, and.no fatalities, 

a 1 - economic penalties, no operational penalties, no 
change in mission profile, and no fatalities, 

- -operational penalties, no change in mission profile, 

and no fatalities, 

a^ =t change in mission profile, and no fatalities, 

- fatalities. > , 

Thus, by accounting for the relative importance of various 
attributes, the number of relevant levels of accomplishment is 
reduced from 16 (the number of subsets of the set of 4 
attributes) to 5. On the other hand, the information regarding 
relative worths is not essential, i.e., the evaluation could be 
carried out relative to a 16 level accomplishment set. 

For this accomplishment set, we then developed a 
hierarchical model of the total system comprised of three 


levels : 
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Level 0: Mission Level 

Level 1: Aircraft Functional Task Level 

Level 2: Computer Level, 

Construction of this model proceeded in a top-down manner (i.e. 
level 0 > level 1 > level 2) as generally discussed in earlier 
reports (see [3] , pp. 81-82, for example).’ The subsections 
that follow describe this hierarchy, i.e., the models at each 

level and the interlevel translations between adjacent models. 

. * ;• : v •• • ‘ •• ~ > 

3. 3. 1,2 Mission Level Model • , ■ ' 

' '• r ■: •• ■' '■'■■■ 

The mission level model (level 0)' describes the total 
system performance in terms closely related to the 
accomplishment set A. 

Formally, this model is a single variable random process 
Z = xP taking values in the state space 

Q° = {0,1} 4 

where a state q = (q^, q 2 , q 3 r <3^) e Q U is interpreted as 


follows: 


If 


*1 = 

*2 = 
q 3 = 

^4 = 

is the 
denote the 


0 if the mission has no economic penalties 

\ 

1 otherwise, 

0 if the mission has no operational penalties 

1 otherwise, 

0 if the mission has no change in mission profil 

1 otherwise, 

0 if the mission is safe 

1 otherwise. 

0 th 

projection of Q u onto its i coordinate, we let 
random variable S^Z, i.e., 

Z “ (z 1 , z 2 , z 3 , z 4 ) . 


* 
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As a mnemonic aid, these variables are alternatively referred to 
as follows: 

z 1 = ECONOMICS 
Z 2 = OPERATIONS 

Z 3 " PR0F1LE 
2, = SAFETY. 

Because the level 0 model consists of a single random variable, 
the trajectory space U° (see [3] , p. 20) coincides with the. 

- • '• * S? p v » 1 

state space, i,e , , ' "7 " * 4 

U° = Q° ={0,1} 4 . ’ ’ . 

Table 1 specifies the inverse of the interievel translation 
or, what is the same, the partial capability function y^ 

(see [3], p. 26). Because of the inability of computer, output 
to denote subscripts, the accomplishment level indices are 
placed in parenthesis after the letter "a," For example, a^ is 
written a(3). This is similar to the method used in FORTRAN and 
other computer languages to specify array subscripts and should 
cause no confusion. The notation of Table 1 represents a 

"don't care" situation and signifies that any valid entry is 
acceptable. 
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Page 1 of 1 
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3 . 3 . 1 . 3 Aircraft Functional Task Level Model 
To determine an appropriate model at the aircraft 
functional task level, we assume the following characteristics 
regarding the aircraft to be used in the mission. (See [7] for 
more details regarding these specific aircraft functions.) 


a) The aircraft has an Aircraft Integrated Data 
System (AIDS) which continuously executes in-flight 
analyses of various on-board, data. This information 
is economically useful to the airline for assessing 
aircraft performance and for, scheduling maintenance. 
Thus, loss of AIDS results in an economic setback to 
the air carrier. 

b) The aircraft has two means of navigation. The , 
first involves an inertial guidance system (INERTIAL) 
which will operate at any point regardless of 
latitude, while the second means involves ..an air data 
system (AIR DATA) along with two radio beacon systems: 
Very-High Frequency Omniranges (VOR) .and Distance 
MeasuriFig Equipment (DME) , We assume that the signals 
generated by the VOR/DME systems will not be 
receivable by aircraft more than 250 nautical miles 
from a transmitting station, and in particular, more 

'than 250 nautical miles from land. The AIR DATA 
function is required to support the VOR/DME function. 

c) If the aircraft loses its inertial system before 
entering a region where it cannot receive VOR/DME 
signals, (especially an oceanic region on a 
transoceanic mission) , the plane will return to its 
origin. We make the simplifying assumption that if 
the plane must make such a diversion, the plane 
returns safely to its origin with no further 
incidents. This assumption is made because the theory 
to support the use of multiple, state-dependent 
utilization periods has not yet been developed. Such 

a diversion is considered a change in mission 
profile. , 

d) If the aircraft loses its inertial system while 
out of range of VOR/DME, then the plane loses all 
navigational capability. Likewise, if the aircraft 
loses its INERTIAL system and its capability to 
analyze VOR/DME-AIR DATA information (i.e,, either the 
VOR/DME function or the AIR DATA function) , then the 
aircraft loses all navigational capability. Such a 
loss of navigation will be considered a change in 
mission profile. 
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e) If the aircraft loses either its AIR DATA function 
or its VOR/DME function, then the loss is considered 
an operational penalty. Of course, if both functions 
fail, a change in mission profile may occur. (See d) 
above. ) 

f) The aircraft has an autoland system (AUTOLAND) 
which, if working, will land the plane in any weather. 
This system- is used only in Category III weather. The 
AUTOLAND system requires the results of INERTIAL 
computations as well as AUTOLAND computations. If at 
the initiation of landing, the destination airport has 
Category III weather and the aircraft does not possess 
the AUTOLAND capability, then a diversion is made to 

' T.' another airport , Such a diversion is considered a 
... change in mission profile, 

g) If. at the' initiation of landing, the destination 
airport has Category III weather, and the aircraft has 
the AUTOLAND capability, then loss of - AUTOLAND during 

. landing will cause the plane to crash, resulting in an 
unsafe mission. 

h) The aircraft has active flutter control (ACTIVE 
FLUTTER CONTROL) , attitude control (ATTITUDE CONTROL) r 
and engine control (ENGINE CONTROL) functions, all of 
which are critical to the airworthiness of the plane. 
Loss of any one of these functions entails fatalities 
and, hence, an unsafe mission. 

i) The onboard computer is involved actively in all 
aircraft functions mentioned above. Furthermore, the 
computer is involved in no other tasks. 


Under the above assumptions, we have the following (worst 
case) conditions relating functional tasks to the mission 

- i 

variables z^, 7^ r Z 3 , z^ discussed in the previous section: 


z 1 = ECONOMICS 


0 if AIDS works for the entire mission 

1 if AIDS fails at some point in the 
mission. 


Z 2 = OPERATIONS = 


0 if VOR/DME and AIR DATA both work for the 
entire mission 

1 if VOR/DME or AIR DATA fail at some point 
in the mission , 





2 3 = PROFILE 


0 if i) INERTIAL works through the 

initiation of landing and AUTOLAND works 
at the initiation of landing , or ii) 
INERTIAL works until the plane is near 
enough to its destination to receive 
VOR/DME and the weather at the initiation 
of landing is not Category III, or iii) 
INERTIAL works through the initiation of 
< landing and the weather at the initiation 
of landing is not Category III, 


1 if i) INERTIAL and either VOR/DME or AIR 
DATA fail when the plane is near its 
destination, or ii) INERTIAL fails when 
the plane is near its source, or iii) 

• INERTIAL fails when the plane is out of 
range of VOR/DME signals, or iv) AUTOLAND 
fails at the initiation of landing and 
the' weather at- the initiation of ^landing 
is Category III, .. 


z, ^ SAFETY 
4 


r 0 if either .i) AUTOMATIC FLUTTER CONTROL, 

ENGINE CONTROL, and ATTITUDE CONTROL work 
during the entire mission; TNERTIAL works 
while the aircraft is close to -its source 
(until the plane is out of range of 
VOR/DME); and at the initiation of 
landing and one of the following is true: 

a) the weather is not Category III, or 

b) the weather is Category III but either 
AUTOLAND or INERTIAL does not work, or 

c) the weather is Category III, and both 
AUTOLAND and INERTIAL work through the 
conclusion of the landing, 

< V or ii) AUTOMATIC FLUTTER CONTROL, ENGINE, 
CONTROL, and ATTITUDE CONTROL work, while 
the aircraft is close to its source 
(until the plane is out of range of 
VOR/DME) , but INERTIAL does not work at 
some point during the same interval, 

1 if either i) AUTOMATIC FLUTTER CONTROL, 
ENGINE CONTROL, or ATTITUDE CONTROL do 
not work at some point during the 
mission, or ii) at the initiation of 
landing , the weather is Category III, 

I and AUTOLAND and INERTIAL work, but then 
during landing, either AUTOLAND or 
INERTIAL fail. 


Hence, the model at the aircraft functional task level 
involves the following eight aircraft tasks along with a single 
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environment variable: 

AIDS 
VOR/DME 
AIR DATA 
INERTIAL 
AUTOLAND 

ACTIVE FLUTTER CONTROL 
ENGINE CONTROL 
• ATTITUDE CONTROL 

WEATHER (environment) , 

Also, because of the considerations regarding the range of the 
VOR/DME and the initiation of landing, four phases are 
appropriate: 

Phase 1 = Takeoff/cruise until VOR/DME out of range. 

Phase 2 = Cruise until VOR/DME in range again. 

Phase 3 = Cruise until landing is to be initiated, and 
Phase 4 = Landing, 


where their descriptions are abbreviated as follows: 


Phase 1 = Takeoff/Cruise A 
Phase 2 = Cruise B 
Phase 3 = Cruise C 
Phase 4 = Landing. 



\ 

Graphically, the utilization period is decomposed as follows: 
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START OF END OF 

MISSION , t=0 t*h, MISSION 


Phase 1 

Takeoff/ _ 
Cruise A 


Phase 2 Phase 3 Phase 4 

Cruise B Cruise C Landing 


IVOR/DME j VOR/DME out 

I in range! of range 


I VOR/DME inf 

} range f 


is a random process Y 


where a is the time at which Cruise A ends, b is the time at 

which Cruise B ends, c is the time at which Cruise C ends, and h 

is the time at which the landing ends (since the utilization 
period' is [0,h]). The state space for each phase is 

Q 1 = {0 ,1} 9 

where a state g = (q-^ g 2 , q 4 , q 5 , q g , q ? , q Q , q g ) in Q 1 is 
interpreted as follows: 

0 if AIDS works during the entire phase 

q l = . . 

1 if AIDS fails at some, point during the phase, 

0 if VOR/DME works during the entire phase 

q' o ~ 

1 if VOR/DME fails at some point during the 
phase, 


Formally, the aircraft level model 
with four random variables: 

Till 
Y = {X x , x x X , X x } 
a b ' c h 
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0 if AIR DATA works during the entire phase 

1 if AIR DATA fails at some point during the 
phase , 

0 if INERTIAL works during the entire phase 

1 if INERTIAL fails at some point during the 
phase , 

0 if AUTOLAND works during the entire phase 

1 if AUTOLAND fails at some point* during the 

phase, • > 


0 if ACTIVE FLUTTER CONTROL works during the 
entire phase 

1 if ACTIVE FLUTTER CONTROL fails at some point 
during the phase, 

0 if ENGINE CONTROL works during the entire 
phase 

1 if ENGINE CONTROL fails at some point during 
the phase, 

0 if ATTITUDE CONTROL works during the entire 
phase 

1 if ATTITUDE CONTROL fails at some point during 
the phase, 

0 if non-Category III weather at the initiation 
of landing 

q 9 " ) 

1 otherwise. 

Using the array representation discussed in the Third Semi- 
Annual Status Report [3] , the process Y is written as a matrix 






of random variables 
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I'lTl Ml— 


- ■■ mmiiiry ■ - iirw*'«maagg 


y ll 

y 12 

y 13 

y 14 

AIDS 

y 21 

y 22 

y 23 

y 24 

AIR DATA 

y 31 

y 32 

y 33 

y 34 

VOR/DME 

y 41 

y 42 

y 43 

y 44 

INERTIAL 

*51 

y 52 

y 53 

y 54 

AUTOLAND 

y 61 

y 62 

y 63 

y 64 

ACTIVE FLUTTER CONTROL 

y 71 

y 72 

y 73 

y 74 

ENGINE CONTROL 

y 81 

y 82 

y 83 

y 84 

ATTITUDE CONTROL 

y 91 

y 92 

y 93 

y 94 __ 

WEATHER. 


Here y^j is the i th coordinate of the j*"* 1 variable *in Y (e.g., 
y 23 is the AIR DATA coordinate of X ^) i In the discussion 
of Section 3.3.3, an alternate notation for y . . will sometimes 

1 J 

be employed: if I is the name of row i (as indicated given 

above), then y^ will be written I(j), e.g„, y 23 = AIR DATA (3). 
Accordingly, the trajectory space for the level 1 model is 


U 1 = {0,1} 9 x { 0 , 1 } 9 x {0,1} 9 x {0,1} 9 
= { 0 , 1} 36 

whose elements are represented as 9x4 matrices over {0,1}. 

Using the above information, the translation between the 
mission level (level 0) and the aircraft functional task level 
(level 1) was formulated, i.e., the inverse of the level 

1 to level 0 interlevel translation U 9 (see [3] , 

p.24). Employing the method described in the previous report 

-1 ' 

([4),pp. 96-103) (z) for some mission outcome z can then 
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be expressed as the intersection of the component inverses " ' 

( ^ i ^ 1 ) ' 1,e * • 

<2 ( z ) _ 2 K 1 ^ ( z 2^ O ( ^ 3 K x ) ^ (^4 K l) ^ ( 24) 

“ ({ EC0NOMICS' t i rl(EC01S,0MICS > 

n(E OPERflTIONS K i rl(OPERATIONS) j 

n < 5 PROPILE K l> _1 ' PROI ' ILE > ^ • 'I 

nU SAPETY K l ) " 1(SAFETY) / 

where - . — 

“s-, 1 ECONOMICS • • : 

zi OPERATIONS 

zf PROFILE \ 

z. SAFETY •• 

*“ 4 — > . . \ 

•is some mission level trajectory. 

Table 2 shows the component inverses ' i 

(1=1, .2,3, 4) of the interlevel translation k,. The first 
column of the table names the coordinate being considered, that 

. I 

is, one. of ECONOMICS (z^ , OPERATIONS (z 2 ) , PROFILE (z 3 ), or j 

SAFETY (z^) , while the second column gives the value of that ' I 

coordinate (either 0 or 1) . The third column presents a level 1 f ' 

trajectory set that maps into the given level 0 coordinate 
value, ..For- coordinate i and value v the union of all the 
indicated Cartesian trajectory sets is the set (£^ic^) ^ (v) , 

Thus, for example, the trajectory set which corresponds to | 

SAFETY=0 , i ,e . , the set ( 5^) ~ 1 (0) , is 

’ ‘ •, ' . . “f 

. - 

,v . ’ , : 
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Finally, the fourth (rightmost) column of the table assigns a 
single letter name to each level 1 trajectory set; capital 
letters-.denote trajectory sets corresponding to coordinate values 
of 1, while lowercase letters denote trajectory sets associated 
with coordinate values of 0, Sets are referred to by these names 
in a later table (Table 3). Thus (.0) illustrated 

above is abbreviated : 

AUBUCUDU E. • - 

Thus, any aircraft level trajectory which appears in the above 
set results in a safe mission, and conversely, if a trajectory 
does not appear in the above set, then the corresponding mission 
is unsafe, ‘ 

The next step (in the algorithm for determining y; is to 

. —1 . i 

determine the inverse y^ of the level 1 based capability 

function (see [3], p, 26), where, for each level a in the 

accomplishment sot ‘ 
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v i 1(a) = U “i 1 ^) 

iierJJ ■ (a) , ■ 

. \ v . _1 I —'. 

(In general, the determination of y ^ involves "basic 

variables" as well as "composite variables"; see [3], p. 26, 
However, in the above case, the only variables at level 0 are 
composite, and hence they need not be carried down to level 1.) 

In order to manipulate sets of trajectories (and particularly 
Cartesian sets) , the above formula can be generalized as follows. 
Suppose that yl^la) is decomposed into a union of Cartesian 
sets U 2 r.**f U m ;. Then, from the above formula, it follows 
that 

f- i ^ 

yJ 1 <a) = 0. (3.3.1)' . . 

k=l 

Moreover, since is Cartesian, membership of a trajectory u in 
is uniquely determined by its coordinate memberships, that is, 

. ' UeU k 

if and only if, for all coordinates i, (u) e c ^ (U k ) . This 
important property says that Cartesian sets of trajectories can 

. ' i 

be manipulated in a manner similar to that of individual 
trajectories. In particular, if C is the set of coordinate 
indices of , then [ \ 

K ~1 <tJ k* = fl <«i K i)~ 1 < 5 i(°k )) - (3.3.2) 

k-1 

Applying these formulas to the computation in question, we 

-1 

note first that each Yq (a) is already Cartesian, (See Table 
1,) Thus a decomposition of YQ 1 (a) into Cartesian sets is 
trivial, i.e., =-U 1 and, by equation (3,3,1), we have 

U 1 


* 
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Y, 1 (a) = k, 1 (U, ) . 


Next, we note that C={1,2,3,4J and hence, by equation(3.3.2) , 


\ (a). 


-1 


ft 

i=l : i ; 


(3.3.3) 


The values of the intersected terms on the right are determined 
using Table 2 such that each term is expressed as a union of 


ss * 


q(U u ) (an 


Cartesian sets. (Note that if £ ^ (U^) - 
arbitrary value) or if 5^(U^) = j£ (the i fc coordinate of 0® ' 

is a constant) then the term ($i (U^) ) can be 

ignored, since it! is equal to the whole level 1 trajectory space 
U .) Finally, these unions are intersected according to (3,3,3), 
the result being an expression of y^ (a) as a union of 
level 1 Cartesian trajectory sets. These resulting sets are 
displayed in Table 3. To illustrate this computation and to aid 
the interpretation of Table 3, consider the following example. 
Example 

Suppose a=a Q , Then, by row a ( Q ) of Table 1, 


r" 1 (a n ) = U, 
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c 1 (u 1 ) = 0, 
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■ )j 

/ 5 3 (Ui) = 0, 

where the correspondence between coordinate indices and 


coordinate names Table 2) is: 
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'Nanes are defined in 
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For each row, the resultant 
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2 J 
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2 = Cruise B 1 

Table 2. 

1 

level 1 trajectory set is 
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3: 
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i - Cruise C 1 


1 

the intersection of the sets 
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4 •= L andinq j 
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eased in Colunn 2. 
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SAFETY 
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LEVEL 1 TRAJECTORY SETS 
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.oiuiuu 1: Phase 1 = Takao £f/Cr uiso A ( Hamas are define?, in 

loluaiit 2: Phase 2 - Cruise B 1 Table 2. 

:olu-na 3: Phase 3 - Cruise C j . . 

;olumn 4; Phase u = Landing " ) ‘ '■ 


5 For each rox,, the resultant 
) level 1 trajectory sot is 
5 the intersection of the sets 
3 named .in Column 2 . 
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For each row, the resultant 
level 1 trajectory set is 
the intersection of the sets 
named in Column 2. 
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Phase 2 = Cruise U I Table 2. 
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A'wcatJt’uiaiitt 
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L__ECC)NgHtES_| OPERATION S } P ROFILE 1 SA FETY \_ 


a (4) 


a{4) 


a («» 


a (4) 


LEVEL .1 PRODUCT TERNS 


RESULTING 

LEVEL - 1 TRAJECTORY 


SETS 


Luaa 1: 
Colusa 2; 
Column 3: 
Column 4; 


„L.„, 

Phase s 
Phase 2 
Pha'ie 3 
Phase 4 


= Takes 
= Cruis 

- Cruis 

- Landi 


f f/Ccuis 
e U 
e C 
ng 


e A 1, Kanes aco defined in 
.« I T able 2. 
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AIR DATA 
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AUTOLAND 

ACTIVE FLUTTER CONTROL 
ENGINE CONTROL ; 
ATTITUDE CONTROL 
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VOR/DNE 
AIR DATA 
INERTIAL 
AUTOLAND 

ACTIVE FLUTTER CONTROL 
ENGINE CONTROL _ 

ATTITUDE CONTROL 
HEATHER 


AIDS 
VOR/DNE 
AIR DATA 
INERTIAL 
AUTOLAND 

ACTIVE FLUTTER CONTROL 
ENGINE CONTROL 
ATTITUDE CONTROL 
HEATHER 

AIDS 

VOR/DNE 

AIR DATA 

INERTIAL | 

AUTOLAND 

ACTIVE FLUTTER CONTROL 
ENGINE CONTROL 
ATTITUDE CONTROL 
HEATHER 


I 

CD 

£* 

I 


[ For each roe, the resultant 
} level 1 tea jectory* set is 
\ the intersection of the sets 
J named in Coluan 2. 
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1. ECONOMICS 

2, OPERATIONS 

3. PROFILE , 

4, SAFETY, ' •' 

Using Table 2 to determine the sets (£^k^) ^ i (U^) ) and 
designating the Cartesian components of these sets by their Table 
2 names, . ^ 



- A 

(p. 1/ row 1) 

| , 
i . — 1 


(p, 2, row 1) 

(0) 

= A ’ 

(Ci^rho) 

« A U B U C 

(p, 4, rows 1-3) 

<5 i*5 , ' 1(0> 

= A U B U C (j 

/ DUE ' 

♦ i 


(p, 5, last row; p, 6 rows 1-4), 



Note that the set names used in Table 2 are "coordinate 
sensitive, " e,g, , the A's appearing . above .mean different" 
trajectory sets for different coordinates. To illustrate the 
remaining computations, we resolve these ambiguities by adding 
subscripts,. i,e„, 

(? i < 1 )"' 1 (0) = Aj 

i K 2 > 1 ( 0 ) = A 2 
(C i‘ c 3 ) 1 (0) = A 3 U B 3 U C 3 

i K 4) 1 (0) = a 4 U B 4 U C 4 U D 4 U E 4 . 

Accordingly, performing the intersection of equations (3,3,3) 
(where the symbols are omitted) : 

Y l 1(a 0 ) = A 1 A 2 A(A 3 U B 3 U C 3 ) (A 4 U B 4 U C, U D 5 U.Eij) 

= A i A 2 A 3 A 4 U A 1 A 2 A 3 B 4 U u A 1 A 2 C 3 E 4* 

Note that the above expression contains 15 "product terms" when 

fully written. Note also that, by developing the intersections 

in the above raannr v e subscripts are indeed redundant (i,e,. 


i 
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the position of a letter is enough to resolve its meaning). 

Referring to Table 3, each row of the table beginning with entry 
a(0) corresponds to a product term in the above expression; the 
| second column of the table displays the corresponding term (with 

] . .. • - - . '/.]/• • ' "I ' : 

subscripts removed) ; and the third column gives the resulting 
intersection of level 1 'sets named by letters in the product 
term. (Since all letters name Cartesian sets and since the - ; 

intersection of Cartesian sets is Cartesian, the resulting set is 

I I ' ■ 

Cartesian). ' y^ (a Q ) . , then, is just the union of all the 

I . q ... ' ! • 

column 3 entries of rows beginning with a (0). Since all but four . 


of these entries are null, the set of all level 1 trajectories 

corresponding to accomplishment level 3 q is given.by 

“0000*] r0 0 0 0l AIDS. 

0000 0000 VOR/DME 

0000 0000 AIR DATA 

000* 0000 INERTIAL 

ft fi 0 * U / / 0 0 AUTOLAND 

0 0 0 0 0 0 0 0 ACTIVE FLUTTER CONTROL 

0000 0000 ENGINE CONTROL 

0000 0000 ATTITUDE CONTROL 

fi / 0 £ J Ly i 1 /J WEATHER 


“0000“] [ 0 0 0 01 AIDS 

0000 0000 VOR/DME 

0000 0000 AIR DATA 

001* 000* INERTIAL 

i/ / * * U / / 1 * AUTOLAND 

1 0 0 0 0 0000 ACTIVE FLUTTER CONTROL 

0000 0000 ENGINE CONTROL 

0000 0000 ATTITUDE CONTROL 

^ / 0 / j WEATHER . 


This concludes the example. 

Table 3 is. therefore a complete description of how behavior 
of the level 0 model .relates to behavior of the level 1 model. In 
deriving the algorithm used to compute Table 3, emphasis was 

placed on finding -.Tactical method that would work as opposed to 



N. 
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one that would work most efficiently. The efficiency issue is one 
which must certainly be addressed at some future time, but for the 
present, we are primarily concerned with establishing the 
feasibility of the methodology. 

The next section describes the computer model which comprises 
the bottom level of the model hierarchy. 
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3.3.2 ComDuter Level Model . 

A computer model of the SIFT system is described in this 
section. The model employed is a non-homogeneous Markov process 
where such processes have been discussed in previous reports (see 
[2], Section 3.4.2 and [3], Section 3.4.3). The purpose of the , 
computer model is to provide a description of the probabilistic 
nature of the SIFT system, which is able to change its configuration 
due to phase changes or to failures occurring during use. As com- 
pared with the Markov model for the SIFT system described in [8 1/ 
the salient feature of the model is that the partitioning of the 

system is based on both the system's available resources as- well 
the computational requirements of a given phase. iMoreover, since the 





f 

a 

n 

•g 


SIFT system reconfigures in accordance with the 'task allocation algo- 
rithm, we believe that the model should also be tailored to the specific h 
task allocation algorithm selected. Accordingly, the Markov model 

described here has the advantages that (i) it is more compatible 


with the higher level models developed in Section 3.3.1 of this 
report, (ii) the level of detail of the model depends on the user's 
application. 

’ i 

In the following discussion, it is assumed, as in [ 8l# that the 
SIFT computer is comprised of a number of processor-memory modules 



connected to the busses as shown in Figure 4 . It is also assumed 

that the detection and location of processor and bus failures is 

carried out by the method described in Chapter IV of [ 8 ] . in order 

bo relate the state behavior of the bottom model (level 2) to that 
/;■ ' ‘ _ 
of the aircraft functional task model (level 1 ) the phases of the level 

1 model are further decomposed into eight phases at level 2, as shown 
in Table 4 . v. 



i 


FIGURE 4 

SIFT Configuration 


memory P . : processor 









Level 2 Phases 

Description 

Take-off 

Climb 

Cruise I 

Cruise II 

!| I : 

! Cruise III 
Decent 
Approach 

Landing 


Level 1 and 




3LE 4 

evel‘2 Phases 
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3. 3.2.1 Task Allocation 

In order to derive the computer model for the SIFT system, 
it is necessary that the state space of the model he refined 
enough to distinguish different levels of degraded performance 
for the system. This condition can be satisfied when the states 
.of the model are chosen to represent different processing 
capabilities of the system. For example/ the state ”5 processor 

and 4 busses" • insures .that all tasks required to support 

| . • . • • y ::-— j !■■■ ,y 

take-off phases can be acoanplished by the system. On the other hand, 

the state "4 processors and 4 busses" accomodates a reduced work- 
load wherein Inertial System computations are discarded. * Since 

tile task profiles are different for different phases, relations 

\ ♦ . ' • • • 

between different states and system processing abilities must 


be established for each phase. ‘ 

System reconfiguration can occur in the SIFT computer due to 

phase change, pilot intervention, fault detection and loca- 

f • . .* . y, i. • :/ 

tion, etc. It is determined by the Local Executive and the 


Global Executive using a precomputed task allocation algorithm. 
Although the feasibility of such a task allocation algorithm has 


been demonstrated in [8 ], it is not completely specified. For 
the purpose of developing a computer model, we have applied the 
basic design principles described for the SIFT system to develop 
a workable task allocation algorithm. This allocation algorithm 
is then accounted for (see Section 3. 3. 2. 2) in the derivation of 
the Markov process representation of the computer. 


The basic parameters for determining a task allocation 
algorithm are the size of the processor-memory modules and the 


- ' ■ : . -92- .- 

computational and reliability requirements for each task. Since 
the set of flight-related application tasks used in the deriva- 
tion of the above higher level models is a subset of the task 
set considered in [ 8 ] , the size of the processor and imemory 
units is scaled down proportionally to account for the reduced 
workload. It will be assumed in the following discussion that 
each processor-memory unit has 0.16 MIPS (millions of instructions 
per second) capacity and has a 5 kiloword memory. However, the 
computational and reliability requirements for each task are 
taken directly from [ 8 ]* A summary of the tasks considered and 
their requirements is given in Table 5. . . 

The criticality levels: described, in Table 5 indicate the 
degree of reliability required for each task, It can J^e inter- 
preted as follows (see 17.3/ page 5) : 

‘Criticality Level 1- A function immediately critical to 
'--..t;he safty of the flight. : 

‘Criticality Level 2- A function that will be critical to 
the safty of the flight at some future time during the 
■ mission. : ... ... 

‘Criticality Level 3- A function whose loss requires a 
significant change in mission to avoid degradation of safty; . 

‘Criticality Level 4- A function whose loss imposes substantial 
operational penalties on air crew or ATC. 

‘Criticality Level 5- A function whose loss has undesirable 
economic consequences but no significant safty degradation 
or operational penalty, 

: The notion of criticality level is used in the SIFT design 

to assure even distribution of tasks and orderly degradation in 
reconfiguration. A less critical task may be abandoned when 
the amount of processor and memory resources have decreased as 
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TABLE 5 


Task Module Properties 

for Task 

Allocation 

TASK 

MIPS 

\ : I 

MEMORY 

(words) 

AFC (Active Flutter Control) 

0.069 

92 

AC (Altitude Contrcjl) 

0.023 

2075 

AUT (Autoland) 

0.055 

'.j.: - " 

1025 

EC (Engin Control) 

0.119 

j 

1500 

i 

IN (Inertial System) 

0.034 

2250 

VOR (VOR/DME Radio) 

0.004 r 

j 300 1 * 

AD (Air Data) 

0.001 

135 

AIDS (Aircraft Integrated 
Data' System) 

0.002 

1300 

LE (Local Executive) 

0.Q34 

320 

GE (Global Executive) 

0.001 

1100 


- CRITICALITY 
LEVEL 

1 



1 


3 

4 

4 

5 
1 
1 
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t!he result of hardware failures. A highly critical task must 
either be reassigned to another processor-memory module, or 
adequate backup systems must be activated. However,. the 
criticality level of a task also depends on the task profile 
of each phase. For example, although the autoland function has 
criticality level 1, it is not needed during the take-off phase. 
Hence, autoland is not allocated, during that phase. The task 
profiles of the flight phases that can influence the criticality 
level are tabulated in Table 6. . 

For each phase, it will be assumed that a primary task has 
a higher priority than a secondary task which, in turn, has a 
higher priority than a backup task. Accordingly, Table 6 can 
now be combined with the criticality levels to establish the , 

I 

priority of each task in the task allocation algorithm. When 
the system must function with a degraded performance, lower 
priority tasks are discarded first. To obtain the priority 

ordering, tasks are first ordered in accordance with Table 6 , 

V ■■■■ ' ./ ■ : ■ r..J : .7 

and then ordered according to criticality" levels. The resulting 

priority ordering for each phase is summarized in Table 7 . 

A task allocation algorithm can now be defined using the 
method suggested in [ 8 ] . Although the method may not be ~ 
optimal in the sense that it may- not yield the highest per.^-. 
formability, it achieves some degree of balance in workload 
distribution. A flowchart representing this method is given in 
Figure 5 , The flowchart is fully explained in ( 8 j except for 
the reallocation procedure which includes the following steps. 
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TABLE 6 
Task Profiles 


Task 

AFC (Active Flutter Control) 

* . I * • 

AC (Altitude Control) 


& 

& 

r.'tr 


p 


</ 


■Q & .<? 

o 

£ 


o 


.£/ s 

.<7 ^ 

/ 


,v 

it' 

{ 

"£ 

* 

I 

,r 

& 

I 

/<» 


T 


AUT (Autoland). - - - - P 

EC (Engin Control) P P P;:P P 

IN (Inertial System) P P P P P 

VOR (VOR/DME Radio) - P P P P 

AD (Air Data) B B B B B 

AIDS (Aircraft Integrated S S S S S 

Data System) s 


Key 

P : Prime 
S : Secondary 
B: Backup 

Not Applicable 
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TABLE 7 

Priority Ordering of Tasks 

: . . ' • . ' . ,1 ... ..... 

Takeoff: EC > IN > AIDS > AD 

Climb, Descent or Cruise: AFC - AC = EC > IN >VOR> AIDS > AD 

Initial Approach: AC - EC > IN >VOR> AID’S > AD 

Landing: AUT = EC > IN >VOF>AIDS > AD ' 



FIGURE 5 


Task Allocation Algorithm 



Pr •■•?;sor Requirement for Task j 
. / Requirement for Task j 

r ing Load Already Allocated to Module i 

Load Already Allocated to Module i 









* Allocate Local Executive to every module, and 
allocate Global Executive to three modules. 

* Allocate remaining tasks triplicated in accordance with 
Table 7 and . beginning with high priority tasks. 

* Duplication of tasks are permitted, when resources 
are exhausted. However, each module has to 
contain at least one triplicated task (other than 
GE or LE) to facilitate fault identification. 

’ Allocate the remaining tasks without replication. 
However, when a processor containing a non-replicated 
task has failed, the task is considered to have 
been lost. This is because simplex assignment is 
not capable of fault-detection. Thus, the number 
of missed iterations may be intolerable/ 


Applying the above algorithm to the cruise phase, the 
results of the allocation/ based on the number of available pro- 
cessors, are given in Tables 8-12. In Table 8# all tasks are 
allocated. Hence, knowing that there are 6 processors and at 
least 2 busses available, it suffices to infer that all tasks 
are operational. When 5 processors and at least 2 busses are 
available, it can be determined that the AIDS system has failed 
(see Table 9), Similarly, "4 processors and at least 2 busses" 
and "3 processors and at least 2 busses" can be associated with 


failure of the Inertial and AIDS systems (see Tables 10-11). j 
When two processors and at least two busses are available, 
there may exisf two situations. Note that in Table 11 Engin 


Control is not replicated. Hence, when processor 1 has failed 
before processor 2 and processor 3, the Engin Control may be 
erroneously computed, resulting in an excessive number of missed 
iterations. Consequently, assuming that the failure is correctly 


detected with some time delay, the above situation can be inter 



TABLE 8 

Distributed Assignment of Cruise Phase Tasks 
Over Six Processor-Memory Units 


• 

1 

Accumulated Task MIPS 
Per Processor 
2 3 4 5 

/ 

6 

Accumulated Task Memory 
Per Memory Unit 
1 2 3 4 5 6 

LE (Local Executive) 

.034 

.034 

.034 

.034 

.034 

.034 

320 

320 

- 320 

320 

320 

320 

GE (Global Executive) 

.035 

.035' 

.035' 

- 

- 

. ■ 

1420 

1420 

1420 

- 

- 

- 

EC (Engin Control) 

- 


- 

.153 

.153 

- 

- 

J - 

i 

1820 

1820 

- 

AFC (Active Flutter 
Control) 

.104 

.104 

- 


- 

.103 

1512 

1512 

■- 

- • 

- 

412 

AC (Altitude Control) 

.127 

.127 j 

- 

- 

- 

.126 

3587 

3587 . 


- 

- 

2487 

IN (Inertial System) 

. - 

- 

.069 

- 


.160 

: - 

— . 

3670 

- 

- 

4737 

VOR (VOR/DME) 

.131 

- 

. - 

,157 

.157 

- 

3887 

. " ' 

- ' 

2120 

2120 

- 

AD (Air Data) 


.128 

, - 

.158 • 

.158 • 

mm'/ 

- 

3722 

- 

2255 

2255 

- 

AIDS (Aircraft Inte- 
grated Dat'i System) 



.071 

.160 

i 

.160 


- 

- ■ 

4970 

3555 

3555 

- 



TABLE 9 

Distributed Assignment of Cruise Phase Tasks 
Over Five Processor-Memory Units 


Task 

Accumulated Tafek MIPS 
Per Processor 
1 2 3 4 5 

Accumulated Task Memory 
Per Memory Unit 
1 2 3 4 5 

LE 

(Local Executive ) 

0.034 

0.034 

0.034 

0.034 

0.034 

320 

320 

; 320 

320 

320 

•LIE 

(Global Executive) 

0.035 

0.035 

0.035 


■mm' 

1420 

1420 

1420 

- 

- 

EC 

(Engin Control) 

: - •. 

0.154 

- 

- 

0.153 

'■ ' . : 1 

” 

■n 

2920 

- 

- 

1820 

- 

AFC 

: • : ■ ;• i ; ' ’ 

(Active Flutter 
Control) 

z.'\~ 

0.104 

0.104 

- 

0.103 

- 

1512 

1512 

- 

412 

AC 

(Altitude Control) 

- 

0.127 

- 

- 

0.126 

- 

3587 


- 

2487 

IN 

(Inertial System) 


- 

0.138 

- 

0.160 

- 

- 

3762 

- 

4737 

VOR 

(VOR/DME) 

! i i 

0.158 

0.131 

- 

0,157 

- 

3220 

3887 


2120 

- 

AD 

(Air Data) 

0.159 

- ' 

0.139 

0.158 

- . 

3355 

. ■ 

TV 

3897 

2255 

- 

AIDS (Aircraft Inte- 
grated Data System) 

discarded 



j 

i 

discarded 

. i 




TABLE ,10 

Distributed Assignment of Cruise Phase Tasks 
Over Four Processor-Memory Units 


Task 

Accumulated Task MIPS 
Per Processor 
1 2 3 4 : 

Accumulated Task Memory 
Per Memory Unit 
1 2 3 4 

LE (Local Executive) 

0.034 

0.034 

0.034 

0 . 034 

320 

320 

320 

320 

GE (G loba 1 Executive ) 

0.035 

0.035 

0.034 

- 

1420 

1420 

1420 

: i ■ 

EC (Engin Control) 

0.154 

. . - 

- 

0.153 

2920 

- 

- 

1820 

AFC (Active Flutter 
Control) 

v;. 

0.104 

0.104 

. .. •..• "■ • . • ' 
; ■; 

- . 

1512 

1512 

- 

AC (Altitude Control) 

- 

0.127 

0 . 127 

- 

- 

.3587 

3587 

- 

VOR (VOR/DME) . j _ 

0.158 

0.131 

- 

0.157 

3220 

3887 , 

. - ( 

2120 

AD (Air Data) 

0.159 


0.128 

0 1 158 

3355 


3722 

2255 

IN (Inertial System) 

discarded 



• • 

discarded 

; 


AIDS (Aircraft Inte- 
grated Data System) 

discarded 

> 

i 

1 

: 4 t 

discarded:. .• 

-! 

■ • 



TABLE 11 

Distributed Assignment of Cruise Phase Tasks 
Over Three Processor-Memory Units 


Accumulated Task MIPS 
Per Processor - 


Task 


LE (Local Executive) 


EC (Engin Control) 

AFC (Active Flutter 
Control) 

AC (Altitude Control) 
VOR (VOR/DME) 

AD (Air Data) 

I : ' » 

IN ( Iner-t-i-a-1 -System) 


AIDS (Aircraft Inte- 
grated Data System) 


Accumulated Task Memory 
Per ^Memory Unit 
3 


0.034 

0.034 

0.034 

320 

320 

320 

0 .035 

0.035 

0.035 

1420 

1420 

1420 

0.154 

- 

- 

2920 

- 

■ - 

- 

0.104 

0.104 

- 

1512 

1512 


0.127 

0.127 

- 

3587 . 

3587 

: 1 ■ : : ' 

0.158 

0 . 131 

0.131 

3220 

3887 

1887 

0.159 

0.132 

0.132 

3355 

4022. 

4022 


discarded 

discarded 


‘discarded 


discarded 


- : - r • • > 
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TABLE 12 

Distributed Assignment of Cruise Phase Tasks 
Over Two Processor-Memory Units 


Accumulated Task 
MIPS Per Processor 


LK (Local Executive) 

GE (Global Executive) 

EC (Engin Control) 

AFC (Active Flutter Control) 

.•'I 

de C 


0.034 

0.034 

0.035 

0.035 

0.154 

- 

’ . 

;‘i : • ■. 

0.104 

IV::: : 

0.127 


Accumulated Task Memory 
Per Memory Unit — — 


yscem) 
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preted as failure of the Engin • Control, together with other tasks 


discarded in Tables .11-12. However, when processor 2 or processor 


3 has failed before processor 1, the failure will be detected immed- I; 

r ■ ■ 1 '<v-\ 

. , : ' . 

lately and reconfiguration will be initiated. In this case, only the 

■ , ■ - ■ i 7i 

■ l ."if 

Inertial and AIDS tasks would have been lost, but not Engin Control.- § 

’ i 

Accordingly, these two situations must be distinguished in the com- «J 

' . ” i ft . 

puter model (see Section 3. 3. 2. 2). Applying the allocation algorithm M 

• ' '■ v 

to all phases, tasks lost through reconfiguration are shown in Table 1?S 


3 . 3 . 2 . 2 The Phased Computer Model 


As indicated in the previous section, the probabilistic 
nature of the computer is represented by a non-homogeneous Markov 
process. As discussed, the state space of this Markov process is 
selected in accordance with (i) compliance of the task allocation 
algorithm with the higher level models and (ii) preservation of the 
Markov properties via the failure characteristics of the hardware 
components. * 


During the takeoff phase (phase 1), the computer is repre- 
sented by a Markov model with a state transition graph as illustrated 
in Figure 6. Each state of the graph (except F) represents a 
specific number of fault-free resources. More precisely, state (i,j) 
represents a configuration consisting of i fault-free processors 
and j fault- free busses. State F represents any other configur- 
ation. Using Table 13 , the state q of the computer at the end of 
phase 1 relates to the accomplishment of functional tasks during 
phase 1 as follows. 
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TABLE 13 

Tasks Lost Through Reconfiguration 


No. Of 
Processors 

-1— 

Pha 

2-6 

ise - C' ■■■ 

7 

8 

n 


- 

] 

■' ’ . ;• • 

- 

• 

• 

• ; 

■ • 

• '* # •. . 

»■ 

i • 

: 1 i " - 

• ••••( 

: t y. ' y, - 

’* J . ' 

6 

- 

1 


j . ■ • . ■ 

5 

- 

AIDS 

i ; ' 

■ i 1 '■ 

- 

4 

Inertial 

Inertial 
and 
v AIDS 

i 1 : 

AIDS 

- ...... ■ 

AIDS \ 

3 

Inertial 

Inertial 

and 

AIDS 

AIDS. . 

V V- : | ‘ 

Air Data . 

■■■■ and ,- V: ; 

AIDS 
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FIGURE 6 ‘ 

Markov Transition Graph for Takeoff Phase 
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no degradation if 
n > i > 5, m > j > 2 , 

If q - ji, j) then : ' 

Inertial System loss if 
4>i>2, m>j>2, 

. ' b 

If q = F then all functional tasks lost. 

During each of the remaining phases, the computer model 
is the Markov process with state transition graph shown in 
Figure 7. .Although the underlying Markov processes are 
the same for these phases, a given state has different 
effects on level 1 behavior during different phases. For 
phases 2-6 (climb, cruises I-III and descent), the state 
q at the end of the phase relates to functional task accom- 
plishment as follows: " ~ 


no degradation if 
n > i > 6 , m > j > 2 , 

AIDS loss if ... • ’ 

i = 5, m > j > 2 t - - 

Inertial and AIDS loss if 
i - 3 or 4, m > j > 2 , 

Engin Control, Inertial and AIDS loss if 
i - 2*, m > j > 

Inertial and AIDS loss if ‘ 
i = 2,m>j>2. j 

If q = F then all functional tasks lost. J 
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FIGURE 7 

Markov Transition Graph for Phases Other Than Takeoff 
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For the approach phase (phase 7) the state q at the end 
of phase 7 implies the following: 


If q = (i,j) then j 


no degradation if 
n>i>5, m>j>2, 

AIDS loss if 
i = 3 or 4, m > j >2 , : 

Engin Control, Inertial and AIDS loss if 
i = 2 ' , m > j > 2 , • 

Inertial system loss if V 
i - 2, m > j > 2, . , •• - 


If q = F then all functional tasks lost. 


Finally, for the landing phase (phase 8) the states 
have the ‘following implications: 


If q = (i , j ) then 


no degradation if • 
n>i>5,m>j>2, 

AIDS loss if 
i = 4, m>j >2, 

Engin Control, Air Data and AIDS loss if 
i = 2 ' , m>j>2. 

Air data and AIDS loss if 
i = 3 , m > j > 2 , / 

AIDS loss - if 
i = 2, m > j > 2,1 


If q = F then all functional tasks lost. 
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! Given the implications of level 2 states on level 1 
behavior described above, the inverse k" 1 of the level 2 to 
level 1 translation < 2 can be specified. For this purpose, 
the states of the computer model can be partitioned into seven 
equivalence classes 


{1,2, 2’, 3, 4, 5,6} 

defined as follows: ' 

i = {f > . - 

i = {(i/j)lj>2> if i = 2,2', 3, 4, 5, 

. 6 = { (i, j) j i>6, j>2}. 

The above classification of states is possible because the 

computational capacity of the system depends only on the 

number of active processors, as long as at least 2 busses 

are available. , 

Table 14 presents in a format similar to Table 2. 

(k-j^-), that is, k ^ is expressed in terms of its component 

inverses ( (E . . ic 9 ) -1 ) where i is the task index (i<i58) and j 
j 1 J Z 

is the number of the level 1 phase (l<j<4) . Column 1 gives 
the coordinate (i,j) under consideration,; while column 2 gives 
the value of the coordinate. The following abbreviations are 
used to denote the level 1 tasks: 


AS = AIDS 
VO' = VOR/DME 
AD = AIR DATA 
IN] = INERTIAL 
AL ; = AUTOLAND 

AF = ACTIVE FLUTTER CONTROL 
EC = ENGINE CONTROL 
AC = ATTITUDE CONTROL. 
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Columns 3-10 then give a trajectory set that maps into the 
corresponding level 2 value. The union of all level 2 trajectory 
sets indicated for a given coordinate ij and value v is the 
preimage (£.-iO ^ (v) . For instance the level 2 trajectory 

lj e. 

set (£53 k 2 ) i s the union of all trajectory sets for which 

INERTIAL (3) = 1, i.e. , the set 

[* * * * {1,2,2' ,3,4} * * *] 

... • i U [* * * {1,2, 2 ', 3, 4} {5,6} * * *] - 

• U [* * * {5,6} {5,6} {1,2, 2', 3,4} * *] 

U I* * * {5,6} {5,6} {5,6} {1,2,2'}] . , 


Finally, the last column of table 14 assigns each 

‘ll rV ” /•". . ' 

trajectory set a one letter name. Again, capital letters denote 

trajectory sets associated with coordinate values of 0 ; lower case 
names-, are used with trajectory sets affiliated with coordinate 
values. of 1. Sets are then referred to by these names in a 
later table (Table 15) . 

Using y ' 1 (Table 3) and (Table 14) , the desired base 

model trajectory sets are determined. This step is described 
in the section that follows. 
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3.3.3 Derivation of Base Model Trajectory Sets 

Given the inverse of the level 1 based capability 
function y^ (Table 3) and given the inverse x” 1 of the inter- 
level translation <2 (Table 14) , the inverse y ^ of the level 2 
based capability function is determined in a manner similar to 

the derivation of y^ . Moreover, since level 2 is the bottom 

level, Y 2 ^ ~ y \ the inverse the capability function of the 

total system. More precisely, if a is an accomplishment level, 

let u^Vi » V,,...,U xV denote the Cartesian components 

i j. z, . w m 

of the level 1 trajectory set y~ i (a) (see Table 3). For 

a particular component U^xV^, U k denotes the “composite 

part" of the trajectory set (the first eight rowjs that 

describe functional task accomplishment) and V, denotes the 

"basic part" (the last row that describes WEATHER behavior) . 

Then,„as with equation (3.1.3), it follows that 

m 


- 1 /. 


(a) = y” 1 (a) .= jl CfUJx V,,. 


-1 

U k 2 

k=l 


(3.3.1) 


(Note that (3.3.1) differs from (3.1.1) in that the basic 
trajectories (WEATHER) must be carried down from level 1 
to level 2. Also, when is carried down, additional 
coordinates are added to match the number of phases of the 
level 2 model.) Each preimage is then formulated using 

equation (3.1.2), where in this case the coordinate indices 

| | • ; i 

- tlr 

in C are pairs (i,j); i being the i" functional task and j 


th 

I 

-1 


being the j phase of 

8,4 


the level 1 trajectories. Hence 


< 2 <V = 0 


U., ) . 


13 


13 


(3.3.2) 


i3=l/l 

The values of the intersected terms on the right are . determined 
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using Table 14, such that each term is expressed as a union 
of Cartesian sets. These unions are then intersected according 
to equation (3.3.2), in the systematic fashion used earlier 
at level 1. The result is an expression of (U^) as a 

union of Cartesian trajectory sets. Finally, applying 

-1 -1 
(3.3.1), y (a) is just the unxon of all the ^ (U^) unions 

(k = l,2,...,m) with the weather trajectories V^. adjoined 

to each Cartesian component of K^tU^.). These resulting 

sets are displayed in Table 1 . To illustrate this computation, 

consider the following example . 
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V- j 


A 

A 

A 

A 

i 

ACTIVE FLUTTER CONTROL 

, „ DESCENT 

1 

I2',3 r 4) 

i 


1 * 

1 


I:i 

i 


A : . 

A 

A 

A 

p ; i 

ENGINE CONTROL 

* APPROACH 


2' 

i 


1 * 

1 

. j 

(J 


L 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LARDING 

L* 

2* 

j 


t 

J 


I 

t 


r 





i 

I 

■ h 

r 




r 



i 

i 

i 



A 

A 

d 

+ 

i 

AIDS ' i r." ' ! 

TAKEOFP 


6 

i 


i *■ 

1 


! 

i 


A 

A 

A 

A 

i 

VOB/DME • " ■ ‘ 

CLIMB . 

1 ^ 

, 6 

< 


i * 

t i 



i 


A 

A 

A 

B 

i 

AIR DATA 

CRUISE I 

t 

6 

i 


i * 

I 


i 

•n m \ 


A 

A 

e 

* 

i 

INERTIAL - 

CRUISE II 


6 

i 

X 

i t 

r 


i 

1 



2 

t 

* 

* 

j 

AUTOLAND 

CRUISEIII 


6 

i 


l 0 

i 


* 



A 

A 


A 

j 

ACTIVE FLUTTER CONTROL 

DE3CEKT 


5 

i 


1 *■ 

i 


i 



A 

A 

:'A", 

A 

i 

ENGINE CONTROL 

APPROACH 


2* 

i 


1 <■ 

i 


! 

! 

L 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING 

L 

2' 

j 


«• t 

J 


i 

| 

Colii ran 

1 : 

" P base 

1 i 

Takeof £/Cruise 

A J , 

•Names are defined in 

For each row 

, the resulting 







Column 

2 2 

P base 

2 * 

Cruise b 


V 

Table 1ft, 

1oyg1 1 trajectory set Is 






j 

Column 

3: 

P hase 

3 = 

Cruise c 


\ 


the intersection 

of the sets 





i 

C :j L u u ji 

ft : 

Phase 

ft = 

Lauding . 


1 


named in Column 

2, 






f 









* 


■sWSMW v. * > ’ 


rV ' 



' .. ‘ 
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TABLE 15 
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AU.O.'VLlSHitKNl' | 


TR A JECTORY SET NAMES 


RESULTING 


LEVEL 




r 





1 



r 




r 


1 




A 

A 

e 

* 

} 

AIDS 

TAKEOPP 

1 

: 6 

1 


| 

t 

J 




A 

A 

A 

A 

I 

VOR/DME ; 

CLIMB 

1 

6 

1 


i 

t 



1 


A 

A 

A 

B 

1 

AIR DATA / 

CRUISE I 

1 

6 

1 


i 

t 


d( 1) 



A 

A 

e 

* 

l 

INERTIAL ' 

CRUISE 11 

1 

6 . 

1 

X 

i 

t 





t 

t : 

* 

;*■ 

1 

AUTOLAND 

CRUISE III 

1 

6 

1 


i 

0 





A 

A 

A 

A 

1 

ACTIVE FLUTTER .CONTROL 

DESCENT 

1 

6 

I 


t 

t 

( 




A 

A 

A 

A 

1 

ENGINE CONTROL 

APPROACH 

1 

2* 

1 


i 

t 

1 


1 

L 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING 

L 

2 • 

J 


L 

t 

J 


1 

r 





*1 



r 

5 - ; 1 X 



r 


1 


1 

j 

A 

A 

A 

b 

1 

AIDS 

TAKEOFF 

t 

‘ 6 ■ 

| 


i 

t 

l 


1 

) 

A 

A 

A 

A 

1 

VOR/DHE 

CLIMB 

i 

6 

J 


i 

t 

1 


1 

i 

A 

A 

A 

A 

1 

AIR DATA 

CBUISE I 

i 

6 

1 


i 

€ 

1 

.1 1 )) 

1 

i 

A 

A 

A 

* 

! 

INERTIAL 

CRUISE II 

i 

6 

1 

X 

i 

t 

1 

1 

i 

1 1 

l 

A 

4 

1 

AOTOLAND 

CRUISE III 

i 

6 

( 


i 

0 

1 

1 


1 

i 

j 

A 

A 

A 

A f 

1 

ACTIVE FLUTTER CONTROL 

DESCENT 

i 

6 

1 


i 

t 


1 

A 

A 

A 

A 

1 

ENGINE CONTROL 

APPROACH 

i 

{5,6} 

1 


i 

t 

l 


1 

L 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING 

t 

*1 

J 


L 

t 

J 


1 

r 




: | 

T 


■ : • - 

r 


T 


r 


1 


1 

i 

A 

A 

A 

b 

1 

.'AIDS . : L n 

TAKEOFF 

1 

6 

1 


1 

t 

1 


1 

« 

A 

A 

A 

A 

1 

VOB/DME 

i CLIMB 

1 

6 

1 


1 

l 

1 


1 

i 

A 

A 

A 

A 

1 

AIR DATA 

CRU1SB I 

1 

6 

1 


1 

t 

1 

a( 1) 

l 

i 

A 

A 

A 

A 

1 

INERTIAL i 

CRUISE II 

1 

6 

1 

X 

1 

t 

1 


1 

i 

t 

t 

A 

A 

1 

AOTOLAND 

CRUISE III 

1 

6 

i 


1 

1 

I ! 



i 

A 

A 

A 

A 

I 

ACTIVE FLUTTER CONTROL 

DBSCEHT 

I 

6 

t 


l 

t 

1 



i 

A 

A 

A 

A 

1 

ENGINE CONTROL 

APPROACH 

1 

... (5,6] 

1 


1 

t 

1 



L 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING 

L 

4 

J 


L 

t 

J 



r 





T- 



-r- 

• 

1 


r 


i 



i 

* 

* 

* 

* 

l 

AIDS 

TAKEOFF 

1 

[5,6} 

1 


< 

€ 

! 



i 

A 

A 

A 

A . 

l 

VOR/DHE v 

CLIMB 

i: 

(5,6} 

1 


i 

t 

\ 


1 

i 

A 

A 

A 

C 

l 

AIR DATA 

CBUISE I 

j 

{5,6} 

1 


i 

* 

1 

a{2( 


j 

A 

A 

C 

♦ 

1 

INERTIAL 

CRUISE II 

i 

(5,6} 

1 

X 

» 

t 




i 

t 

t 

A 

* 

I 

AUTOLAND 

CRUISE III 

i 

- (5,6}- 

1 


i 

0 

1 



i 

A 

A 

A 

A 

l 

ACTIVE FLUTTER CONTROL 

DESCENT 

i 

(5.6} 

1 


\ 

( 

1 




A 

A 

A 

A 

l 

ENGINE CONTROL- 

APPROACH 

i 

(4,5.6} 

1 


\ 

t 

1 



t 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING 

t 

(2* , 5} 

J 


L 

t 

J 



r 

• 




i 

■ . S i 

: >■■■.• ; 

r' 

f • 

1 


r 


i 



i 

* 

* 

* 

*• 

1 

AIDS j \ 

: TAKEOFF 


(5,6} 

1 


i 

t 

1 



i 

A 

A 

A 

A 

l 

VOR/DME I 

CLIMB 


(5,6} 

1 


i 

t 

1 



i 

A 

A 

A 

a 

I 

AIR DATA 1 

CRUISE I 


(5,6} 

1 


i 

t 

1 

a( 2} 


i 

A 

A 

A 

♦ 

1 

INERTIAL l 

CRUISE II 


(5,6) 

1 

X 

■ 

i 

e 

i 


\ 

ft 

£ 

A > 

* 

i 

AUTOLAND j 

CRUISE III 


(5,6} 

\ 


i 

0 

1 

1 



i 

A 

A 

A 

A 

1 

ACTIVE FLUTTER CONTROL I 

DESCENT 


(5,6} 

1 


i 

e 



i 

A 

A 

' A 

A 

l 

ENGINE CONTROL t 

APPROACH 


3 

1 


i 

t 

1 


I 

c 

A 

A 

A 

A 

J 

ATTITUDE. CONTROL f 

LANDING 

L 

(2*, 3, 4, 5,6} 

J 


L 

t 

j 


CoLumu 

1 : 

P hase 

1 = 

Takeotf/Cruise A 


Names are defined in | 

For each row 

w 

the resulting 







column 2: 
Column 3; 


phase 2 
Phase 3 


Column 4; Phase 4 - 


Cruise b 
Cruise c 
Landing 


Table 14. 


I level 1 trajectory set is 
| the intersection of the sets 
j named in Column 2. 
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AC. JiVLlSUHBNI' 
LEVEL 


>< l 2) 


j ( 2) 


a(2 ) 


a(2) 


1 

Colu 
Lulu 
Colu 
CoLu nu 4 : 


LEVEL 2 TRAJECTORY SET NAMES 
FOR LEVEL 1 TRAJECTORIES 


RESULTING 

LE VEL 2 TRAJ E CTOR r S ETS 






1 

* 


r 


T. 

r 


T 

* . 

♦ 

* 

. * 


AIDS / • 

TAKEOFF 

i 

(5,6] - 

I 


x 


A 

A 

A 

A 


VOR/DRE . 

CLIHB 


(5,6] 


i 

X 


A 

A 

■■ A 

, "• c • : 


AIR DATA 

CRUISE I 

\ 

15,6] 



X 


A 

A 

C 

* 


INERTIAL 

CRUISE II 

i 

(5.6} 


X i 

X 


t 

X 

A 

* 


AUTOLAND 

CRUISE III 

i 

(5,6] 

l 


1 


A 

A 

A:.:..- 

A 

1 

ACTIVE FLUTTER CONTROL | 

DESCENT 

i 

(5,6) 

1 

1 

X 


A 

A 

A 

A 


ENGINE CONTROL | 

APPROACH . 


(“,5.6J 


1 

X 


A 

A 

A 

A 

J 

ATTITUDE CONTROL | 

I 

LANDING 

L 

(2',3J 

J 

L 

X 

J 





T 

1 


r 


T 

r 


T 

=> 

♦ 

* . 

> 

L j 

AIDS | 

TAKEOFF 


(5,6} 



X 

1 

A 

A 

A 

A 


VOB/DNE | 

CLIHB 

5 

(5.6) 

1 

i 

X 


A 

A 

A 

a 


AIR DATA | 

CRUISE I 


(5,6) 



X 

1 

A 

A 

-V ■■ A 

* 


INERTIAL | 

CRUISE II 

1 

(5,6) 

1 

r j 

X 

1 

X 

x 

A . 



AUTOLAND | 

CRUISE III 

I 

(5,6} 

1 

\ 

1 

1 

A 

A 

A 

A 


ACTIVE FLUTTER CONTROL | 

DESCENT 


(5,6) 

J 


X 

1 

A 

A 

A 

A 


ENGINE CONTROL | 

APPROACH 

1 

3 

1 

1 

X 

1 

A 

A 

A 

A 

J 

• •. • 

ATTITUDE CONTROL | 

LANDING 

1 L 

(2*, 3, 4, 5, 6) 

J 

t 

X 

i 


♦ 

• 

* 

* 


AI DS ] 

TAKEOFF 

1 

(5,6) 

1 

i 

X 


A 

A 

A 

A 

1 

VOR/DRE | 

CURB 

I 

(5,6} 

1 


X 


A 

A 

A V' 

c 


AIR DATA | 

CRUISE I 

1 

(5,6} 



X 


A 

A 

' J £ 

♦ 


INERTIAL | 

CRUISE II 

1 

[5,6} 

J 

x i 

X 


X 

X 

A 

. ' 


AUTOLAND | 

CRUISE III 

1 

(2* ,3,4} 

l 

i 

0 


A 

A 

A : V ■ 

A 


ACTIVE FLUTTER CONTROL | 

DESCENT 

5 

[2 ',3, 4, 5, 6} 



X 


A 

A 

v A 

' A : ’ 


ENGINE CONTROL j 

APPROACH 

1 

(“,5,6} 

1 


X 


A 

A 

A 

A 

j 

ATTITUDE CONTROL j 

LANDING 

L 

(2‘,3J 

j 

L 

X 

J 






l 


r 



r 


1 

* 

• 

‘ ' * 

* 


AIDS | 

TAKEOFF 

] 

(5,6) 

1 

1 

X 

1 

A 

A 

A 

A 

1 

VOR/DRE | 

CLIHB 

1 

(5.6) 

1 


X 


A 

A 

A . 

d 


AIR DATA | 

CRUISE I 

1 

(5,6) 

1 


X 

1 

A 

A 

b 

* 


INERTIAL l 

CRUISE II 

1 

(5,6} 

1 

x j 

X 

1 

X 

X 

A 


1 

AUTOLAND ,, j 

CRUISE III 

1 

(2* ,3,4} 


i 

0 

1 

A 

A 

'! :■ 

A 


ACTIVE FLUTTER CONTROL * | 

DESCENT 

1 

(2* ,3, 4, 5, 6) 

i 

i 

X 


A 

A 

'■ ■ A' 

A 


ENGINE CONTROL j 

APPROACH 

1 

3! M 


i 

X 

i 

A 

A 

A 

A 

J 

ATTITUDE CONTROL i l 

LANDING 

i 

(2 ',3,4,5, 6] 

j 

t 

X 

J 


tin 1: 
uni 2 ; 
tail 3 : 


Phase 1 = Takeoff /Cruise A | 
Phase 2 = Cruise b ' \ 
Phase 3 = Cruise c ’ { 
Phase 4 = Landing i 


Names are defined in 
Table 14. 


For each row, the resulting 
level 1 trajectory set is 
the intersection of the sets 
named in Column 2. 
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A LCD fkaisIIilENT I 


LEVEL 

2 TR A JEC1 CRY 

SET NAMES 



RESULTING 





level 

L 


FOB 

LEVEL 

1 

TRAJECTORIES 


LEVEL 2 TRAJECTORY 

SETS 

: 


1 r 





1 



r 




r 


T 



1 1 ■ 

* 

. ♦ 

* 

* 

1 

AIDS 

TAKEOFF , 

1 

{5,6} 

\ 


1 

t 




i 1 

A 

A 

A 

A 

1 

VOR/DNE 

CLIMB 


{5,6} 



1 

t 




1 1 

A 

A 

A 

e 

1 

AIR DATA ■ 

CRUISE I 

1 

{5,6} 

1 


1 

l 

I 



V:! , 

A 

A 

b 

* 

1 

INERTIAL.' 

CRUISE II 


{5,6} 

» 

z 

1 

t 

1 



( 1 

ft 

t- 

A 

♦ 

1 

AUTPLARD 

CRUISE III 

1 

{2*. 3, 4} 

1 


1 

0 

1 



1 1 

A 

A 

A 

A 

1 

ACTIVE FLUTTER CONTROL 

DESCENT 

1 (2 

•,3,4,5, 6} 

1 


1 

A 




I I 


A 

A 

A 

1 

ENGINE CONTROL 

APPROACH 


2* 



1 

i 




1 v 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING 

ij. 

{3,4,5,61 

J 


l 

t 

J 



1 r 





1 


* V * • a i 

■ V:' - ’• ' • • 1 j i 

r 


1 


r 


1 



< i 

♦ 

♦ 

* 

■ *' 

l 

AIDS 

TAKEOFF - 

1 1 

(5,6) 

1 


i 

* 

1 



i i 

A 

A 

A 

A 

1 

VOR/DNE 

CLIMB 

1 

(5,6} 

l 


j 

t 

t 



i i 

h 

A 

A 

C 

1 

AIR DATA 

CRUISE I 

l 

{5,6} 

1 


i 

* 

1 


•>WI 

i t 

A 

A 

d 

♦ . 

1 

INERTIAL 

CRUISE II 

1 

{5,6} 

1 

z 

i 

t 




i i 

t 

* 

A 


l 

AUTOLAND 

CRUISE III 

1 ; 

15,6} 

l 


i 

0 

l 



i i 

A 

A 

A 

A 

t 

ACTIVE FLUTTER CONTROL 

DESCENT 

1 

(2* , 3,4} 

1 


\ 

t 

1 

* 


i i 

A 

A 

A 

A 

l 

ENGINE CONTROL 

APPROACH 

l 

{4,5,6} 

1 



t 

t 



| *- 

A ; 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING 

ft. 

(2*, 3} 

J 


L 

t 

J 



1 r 





1 



r 


*1 


r 


-1 



1 1 

♦ 

* • 


♦ 

1 

AIDS 

TAKEOFF 

t 

(5,6} 

1 


j 

t 

f 



1 i 

A 

A 

A 

A 

1 

VOR/DNE 

CLIMB 

1 

{5,6} 

| 


i 

t 

l 



1 1- 

A 

A 

A 

d 

1 

AIR DATA 

CRUISE I 

1 

[5,6} 

1 


i 

< 

1 


u(2) 

1 1 

A 

' A 

a 

* . 

1 

INERTIAL 

CRUISE II 

1 .. 

{5.6} 

1 

X 

i 

t 

1 



1 1 

ft 

* 

A 

* 

1 

AUTOLAND 

CRUISE III 

1 1 

15,6) 

1 


i 

0 

1 



4 i 

■A-;v: 


A 

A 

1 

ACTIVE FLUTTEH CONTROL 

DESCENT 

1 • 

(2 1 ,3 ,4} 

1 


i 

t 

1 



1 1 


A 

A 

A 

1 

ENGINE CONTROL 

APPltACI! 

t 

3 

1 


i 

( 

1 



| L 

I 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDI US 

•- (2 

*,3,4,5,61 

j 


L 

t 

j :■ 



1 r 





-i 

• r ; 


r: 


i 


r 


*1 



i i 

♦ 


* 

* 

i 

AIDS 

TAKEOFF 

i 

(5,6} 

1 


\ 

t 

1 



< i 

A 

A 

A 

A 

i 

VOR/DNE 

CLIMB 

i 

{5.6} 

1 


i 

t 

I 



< i 

A !(. ■ 

A 

A 

e 

. i 

AIR DATA 

CRUISE I 

i 

(5,6} 

t 


i 

«■ 

1 


a(2| 

i i 

A 

A 

d 

* 

i 

INERTIAL 

CRUISE II 

i . 

{5,6} 

1 

X 

\ 

t 




i i 

t 

: t '■■■■■/ 

A 

' * 

i 

AUTOLAND 

CRUISE III 

t . .. 

(5,6) 

( 


i 

0 

1 



i i 

A 

A 

A 

A 

i 

ACTIVE FLUTTER CONTROL 

DESCENT 

i 

(2*, 3, 4} 

! 


i 

t 

1 



i i 

A 

A 

A 

A 

i 

ENGINE CONTROL 

APPROACH 

i 

2* 

1 


i 

t 

t 



1 i. 

| 

A 

A 

A 

A 

j 

ATTITUDE CONTROL 

LANDING 

i. 

(3,4,5, 6} 

J 


L 

t 

J.\ \ J 



1 r 





l 

•• • 

* 

r ' I 

r; - ' * ' 1 ; 

a 


r 


T 



i i 

♦ 

♦ 

* 

♦ 

\ 

AIDS i ... 

TAKEOFF 

1 ~ 

{5, 6} i 

1 


1 

X 

\ 



i i 

A 

A 

A 

A 

: 1 

VOR/DME ! 

CLIMB 


(5,6) V 

I 


1 

l 

1 



i i 

A 

A 

A 

e 

1 

AIR DATA 

CRUISE I 


{5,6} 

1 


1 

t 

1 


al2| 

i i 

A 

A 

e 

: * 

1 

INERTIAL 

CRUISE II 


15,6} 

1 

X 

l 

t 

( 



i • > 

l 

? 

k 

* 

1 

1 

AUTOLAND 

(.BJIac Xu 


(5,6) 

1 


1 

0 

1 



i i 

A 

A 

A 

A 

1 

ACTIVE FLUTTER CONTROL 

DESCENT 

1 * 1 

(5,6} 

l 


1 

t 




i i 

A 

A 

A 

A 

1 

ENGINE CONTROL 

APPROACH 


2' * 

1 


1 

t 

1 


* 

» L 

A 

A 

A 

A 

J 

ATTITUDE CONTROL 

LANDING . 

ft. V.* 

{3, 4,5,6} 

j 


L 

t 

j 



5 

















Column 1 : 

P h as c 

1 = Takeoff /Cruise 

A | 

Names are defined in 

For each row 

, the resulting 







Column 2: 

P hase 

2 y Cruise b 


- 1 

Table 14. 

level 1 trajectory set is 








column 3: 

P has e 

3 = Cruise c 

.' /* 

1 


the intersection 

of the sets 







Column 4: 

P base 

4 = Landing 


1 


named in Column 

2. 
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LEVEL 2 BASED 
CAPABILITY FUNCTION 


ACOJrfCLlSHHEUXr 

rr— • 


LEVEL 2 TR A JFCICBI 

5ET NAMES 

LEV EL 

J. 




FOR LEVEL 

1 

TRAJECTORIES 


| 

r 



*. 

* 

1 

1 

AIDS 


1 


♦ 

* 

* 

♦ 

l 

VOR/DMB 


j 


* 

. ♦ 

' * ‘ . ' 

♦ 

1 

AIB DATA 

J( J) 

1 

1 

b 

♦ 


* 

1 

INERTIAL 

1 

1 

t 

t 

■ ■ '♦ ' • • 

* 

i 

i 

AUTOLAND 


1 

1 

A 

♦ 


* 

ACTIVE FLUTTER CONTROL 


1 

1 

A 


•: . ;; - 

V 

i 

ENGINE CONTROL 


i 

L 

A 

♦ . 


♦ 

J 

ATTITUDE CONTROL 


I 

r 

I 

: : 



♦ 

i 

i 

AIDS : ■ 



i 

* 


•V * 

♦ 

i 

VOR/DME 


1 

i 

♦ 

* 

: ♦ 

* 

i 

AIR DATA 

J 

1 
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r : i r •* 


TAKEOFF 


- (5,6} 

1 


1 

t 


CLIHB 

1 

(5,6} 

1 


1 



CRUISE I 

1 

15.6} 



1 



CRUISE II 

1 

(2*. 3, 4,5,6) 


X 

I 



CRUISE III 

1 

(2* , 3, 4 ,5, 6} 

1 


1 



DESCENT 


.L 2 



1 



APPROACH 

| (2,2*, 3 r 4,5,6} | 


1 



LANDING 

"■-v- 

¥ 

J 


t 


4 


r 


1 


r 


T 

TAKEOFF 


(5,6) 



i 


1 

CLIHB 

1 

(5,6) 

1 


i 


1 

CRITISE I 


(5,6} 

1 


i 


1 

CRUISE II 

1 

(2* ,3 ,4 ,5,6) 

1 

X 

i 


1 

CRUISE XII 

|“ 

(2*, 3, 4. 5,6} 

l 


i 


1 

DESCENT 

1 

[2*. 3,4. 5, 6} 

I 


i 


1 

APPROACH 


2 

1 


i 


1 

LANDING 

t 

* 

4 


L 


J 

.. . L 

r 


"S 


r 


1 

TAKEOFF 


(5,6) 

1 


1 


1 

CLIHD 

i 

(5,6) 

1 


1 


1 

CRUISE I 


(5.6} 



1 


1 

CRUISE II 

i 

(2* #3 ,4 ,5,6} 

l 

X 

1 


1 

CRUISE III 


(2 *.3, 4, 5, 6} 

1 


1 


| 

DESCENT 

i 

(2* ,3, 4,5,6} 

1 


1 


1 

APPROACH 

1 - 

(2*,J, 4,5,6) 



1 


1 

LAEDING 

t 

1 

J 


t 


J 


r 


i 


r 


1 

TAKEOFF 


(5.6) 

1 


1 


1 

CLIHB 

| 

(5,6) 



1 


1 

CRUISE I 


(5,6} 

1 


1 


1 

CRUISE II 


(2*. 3, 4, 5,6} 

1 

X 

1 



CRUISE III 

1 

(2*. 3,4, 5,6} 

1 




1 

DESCENT 


(2‘, 3, 4,5,6} 

1 


1 


1 

APPROACH 

i 

(2* ,3, 4, 5, 6} 

I* 


1 


1 

LANDING 

t 

2 

j 


i 


J 


For each row, the resulting 
level 1 trajectory set is 
the intersection of the sets 
naned in Colunn 2. 
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earlier , can be ignored), ?..(U,) = 0. The level 2 Cartesian 

^■J .. * 

trajectory sets corresponding to these coordinate values 
are given by Table 14, e.g., ? 11 (U 1 ) = 0 says AIDS(l) = 0 
which, by page 1, row 1 of the table, corresponds to the 
level 2 trajectory set 

[ 6 6 6 * * * * * ] . 

(There is only one Cartesian component in this case. In 
general these will be several, e.g., AIDS(l) = 1 yields 
the threie components of page 1, rows 2-4) . 

Repeating this step for the remaining coordinate 
pairs (i,j) and using the names indicated in the last column 
of Table 14, the intersection of equation (3.3.2) is 
performed symbolically (as illustrated in the example of 
Section 3. 3. 1.3). Each product term of this expression is 
displayed in matrix form in the second column of Table 15; 
in this case there happens to be only one product term, 
which appears on page 1, row 1, column 2. The matrix 
arrangement of the names resolves their ambiguities , i. e. , 
the A that appears as entry (i, j) names a Cartesian component 
that maps into (Uj) • Column 3 of Table 3 gives the 
resulting intersection of level 2 Cartesian sets named by 
entries in the matrix, along with the weather trajectories 

i . 

V. that are carried down from level ll . '(Note that the matrix 

JL I 

representation in column 3 has a different orientation, due 
to space- limitations.) Thus, for, the case in point, the 
computation yields the trajectory set 


TAKEOFF 6 0 : | 

CLIMB 6 jz5 

CRUISE I 6 i 

CRUISE II 6 ) i 

CRUISE III 6x0 

DESCENT 6 jzf 

APPROACH {5/6} £ ” • 

LANDING {5/6} \ji J 

These computations are then repeated for U 2 , U^ / and U^. 
(Note that, unlike Table 3, computations that result in null sets 
are omitted from the tabluation.) Carrying out these compu- 
tations, we find that there is only one other distinct Cartesian 

, 

' ' : A 

component associated with a Q (displayed in Table IS t page 1, 
row 2, column 3) and hence • •' , 


V _ 1 (a 0 ) - 


TAKEOFF 
' CLIMB 
CRUISE I 
CRUISE II 
CRUISE III 
DESCENT 
APPROACH 
LANDING 


6 

6 

6 

6 

6 

6 

{5,6} 

{5,6} 


& 

i 

t — - 

0 

t 


TAKEOFF 6 f£ 

• CLIMB 6 0 

CRUISE 16 i 

CRUISE II 6 0 

U CRUISE III 6 x 1 

DESCENT ‘ ■ '• 6 1 3 ;33T3: : .-3 

APPROACH {5,6} jzf 

LANDING |{5/6}J 

This concludes the example. • S ■ -vC"’: .■ . 

On examining Table 3 , one can observe that the remaining 
levels (a 1 ,a 2 ,a 3 ,a^) involve more complex trajectory sets that 
are more difficult to determine. This is something we have 
observed before in earlier experiments, namely, that the 
base model trajectory set associated with the "most success- 


ful" level of performance tends to be "quite" Cartesian (i. e. , 
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has few Cartesian components in its decomposition) , while 
those of lower levels do not. Indeed/ the level a^ trajectory 
set computed in the above example is purely Cartesian since the 
two components produced by the computational procedure differ 
only in the value of the phase 5 weather variable. Hence, 
relative to accomplishment level a^, the phases of the base 
model are independent (see Section 3.1.3., corollary to Theorem 
5) This says in turn that if level a^ were taken to be 
"success" and the # remaining levels were regarded as "failure," 
the resulting capability function would be structure- 
based (see Section 3.1.4, Theorem 6). In other words, the 
evaluation of SIFT could have been based on more -conventional 
reliability models if "top performance" were- the only -concern. 

However, an examination of Table 15 reveals that the trajectory 

, -- ' 

sets-y. (a) for levels a j_/ a 2' a 3 and a^ are "far" from being 

Cartesian and, accordingly, there exist interphase dependencies 
relative to these lower levels of accomplishment. It is at 
these lower levels, then, that the full generality of our 
evaluation techniques must be brought into play . 


3.3.4 Derivation of Transition Probabilities 


Given the transition graphs of Figure 3 and Figure 4, 
there is enough information to determine the initial to final 
state transition matrix P(k) , for each phase k (k =1 , 2 , . . . , 8 ) . 
There are several standard techniques for obtaining the initial 
to final state matrices (see [10], for example) . However, for 
this particular SIFT model, these matrices can be obtained 
more easily using combinational probability methods (see 
Section 3.2.2). This is due to the assumption that each unit 
fails independently with a constant failure rate . 

For the first phase, the initial to final state transition 
matrix is a nm- (n+m) +2 by nm- (n+m) +2 matrix 


where 


= [p* [ (i, j ) , (i\j')n 
A i . 


nm-(n+m)+2 = the number of states of the phase 1 
model (see Figure 6) 


and *' v 1 r~v- 

p [ (1 , j ) , ( i ' , j ' ) ] = the probability that the phase one model 
•1 is in state (i',j r ) at time t. = tg +.T, 

given that the phase one model is in 
state (i, j) at time t Q 

- Prob[i' processor-memory units remain at 
time t,|i processor-memory units are 
available at time t-3 • Prob[j’ busses 

remain at time t.Jjnusses are available 
at time t^] 


\ 


(i'l e " i,pt ( 1 ' e ' pt,i ' i ' •' (j') e " j ' qt ( 1 - e ~ qt ) j ' j 

if 2 <i'< i< n and 2 < j f <j 5 m; 

0 otherwise. 


Finally, the probability of being in state F at time t^ 
given that the chase 1 model is in state (i,j) at time t Q can be . 
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The initial to final state transition matrix for the second 
phase is an nm-n+1 by nm-n+1 matrix 

P (2) = P T I (if j) r (i ' , j*>] 


where 


nm-n+1 = the number of states of the second 
phase model (see Figure 7 ) 

T£ = .t '2 - t^ = the duration of phase 2 


[f,]e' i ' !l, 2(l-e' i(r V' i ' . fj l Je-3'<P , 2 a _ e -qT 2) j-j 


p™ t(i,j),a’,j'n = 


r 


if 35 i 1 5 i5 n and 2 5 j ’ 5j5 m, 

, ' i " t . - * Wi' ■ t . , *■ 

0 if 35 i < i'5 n or 25 j < j '5 m. 


When 2 processors and j' busses are available at the end 
of phase 2, two states (2, j') and (2', j* ) are created to dis- 
tinguish two possible configurations. Corresponding with these 
two states, the transition probabilities are expressed as 


P T !<i,j>r<2,j , > 1 “ 

2 ■ V-.V- 


f • > 

3 

j ' 


e-2’9 T 2( 1 - e - t J T 2)2-3' . 2 (i] ( 1 - e -PT2 ) i-2 e -2pT 2 


if 3 5 i 5 n and 2 < j' 1 5 j 5 m, 

fh|e' j ' qT2 (l-e- t J T 2,J-5’. e - 2 P T 2 
U 1 r. 


if i = 2 and 2 5 j ' < j < m »' 


0 otherwise. 


P T [ (ifj) , (2', j')] = 1 

2 1 




-l'qT 2 -qT, j-j • 
e (X-e 


<*) (i. e ' PT 2, i -2 e -2W2 


if 35i5n and 2<j , <j<m, 
0 otherwise , 


and 


P T [ *\j) , ( 2 , j * ) 1 = 0 for 2<j'<j<m, 




Further more , 


. . , 

3 e" 3 

j’ . 

V J J r 


"j ,qT2 (l-e“ qT 2)3“j' 


r 2 P T 2 


P T [(2’,j), ( 2 V j * ) ] = 

l 2 


if 2 2 j ' 2 js m , 


0 otherwise. 


P™ l(i/j)/F] = 1- l l p T [ (if j ) / (i ' r j 1 ) 3 “ I p T t (if j) f (2' , j’)] 


j’=2 i 1 =2 


j ' =2 2 


Since the remaining phases have the same transition graph as 


the second phase, the corresponding initial to final phase transi- 
tion matrices can be represented as nm-n+1 by nm-n+1 matrices 


P(k) = [ Prp [ (i, j ) , (i 1 f j ’ ) ] 3 

i k * ' • • irri: 

where for each k = 3, 4, , 8 is the duration of the kth phase 

and .p,_ [ (if j) , (i 1 , j 1 ) ] is defined as above with T 2 replaced by T^. 

• k 

Since the underlying Markov models differ for different phases, 
it is also necessary to specify the interphase transition matrices 
(see [3] , Section. 3 . 4 . 3) . Generally, the interphase transition 
matrix H(k) is defined to be an n k by n k+1 matrix 

H(k) = [h. .] 

-V- : ; ' ... :■■■.. ! j ~ •' 

where n, and n, , , are the number of states for the k and the 
k k+1 

, 

k+1 1 " phase models and 


probability that the 
state of the phase k+1 
model is j (at time 
t, ) given that the state 
or the phase k model is 
i (at time t^) . 
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For the phase models described above, the phase 1 model 
has - nm-(n+m)+2 states, the phase 2 model has n 2 = { 
nm-n+1 states and the inter phase transition matrix h(l) 
is the following n^ by matrix. - 


(n,m) (n,m-l) ... (2,m) (2 , ,m) , (2 / m-l) ('2',m-l) . . . (2,2) (2',2) F 


(n,m) 

(n,m-l) 


(2 ,m) 

(2, mil) 


: 2 , 2 ) 




. . 1 


•The above matrix is interpreted as follows. When the phase 1 

•'..odel is in the state (i/j) such that n >i>2 and m> j ';2 at the 

1 

end of phase 1, the computer reconfigures with probability 1 to 
state (i,j) of the phase 2 model. For the second phase, the inter- \ 
phase transition matrix H(2) is represented by a n 2 by n^ matrix 
(n 2 -- n^ = nm-n+1) . 1 
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3.3.5 Performability Results 

}'" 1 " 1 1 ~ " , _ ' L " 

Having derived the trajectory sets associated 
with each accomplishment level in {a Q ,a^ , . . . ,a^ } (Section 
3 . 3 L 3 ; Table 15) and the transition matrices of the computer 
model (Section 3.3,4), evaluation of a sepcific system 
requires designation of values for 'the following parameters. of j 
SHIFT and its environment: J 

COMPUTER (SIFT) 

■j * i\i. 

Cl) Processor failure rate, • 

C2) Bus failure rate , 

C3) Initial state distribution (i.e., availability 
of computer resources at takeoff) . 


ENVIRONMENT 

El) Flight duration and phase durations, 

E2) Probability of Category III weather at destination 
. : airport. 

Evaluations were performed for a number of specific systems 
determined by the following choices of parameter values. 

Cl) 


As in [8] , the processor failure rate for each system 
is taken to be 10"^ failures per hour. 


C 2 ) 
C3 ) 


As in [8] , the bus failure rate for each system is 
taken to be 10“ 5 failures per hour. 

Two types of initial state distributions are con- 
sidered. The first type is "deterministic" in 
the sense that one computer state has probability 
1 of being the initial state (the remaining states 
having probability 0). If (i,j). is the state having 
probability 1 (recall that i is the number of fault- 
free processors; j is the number of fault-free 
busses) , this distribution is denoted 

Det (i, j ). 

The second type of initial state distribution 
considered is truly probabilistic where one of 
two specific distributions are assumed. These 
are d '• ■'! 1^ and 1 ^ arid are given by Table 16. 
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State 

j Distribution 

i ri ■■ ■ ■■ 

(i, j) 

i >i | 

*2 

(6,6) 

.64 

.31 

(6,5) 

.128 

.081 

(6,4) 

.032 

-.009 

(5,6) 1 

i . . . 

.16 

.09 

(5,5) 

.032 

| .009 

(5,4) 

.008 

| 

1 .001 

Others 

0 

o 


TABLE 16 

Initial State Probabilities v 'j 


El) Two filght missions are considered/ a 6 hour and 25 
minute flight from London to New York (JFK Airport) 
and a 10 hour flight from Tel Aviv to New York, 
y The assumed phase durations associated with each 
. flight are given in Table 17 . 



Fli 

ght • 

Phase 

London-New York 

Tel Aviv-New York 

Takeoff 

■ 

1 minute 

1 minute 

Climb 

15 minutes 

15 minutes 

Cruise I 

25 minutes 

25 minutes 

Cruise II 

i 5 hours 

8 hours 35 minutes 

Cruise III 

25 minutes 

25 minutes 

Descent 

15 minutes 

-15 minutes 

Approach 

3 minutes 

3 minutes 

Land ing 

1 minute 

. 1 minute 

Total 

6 hours 25 minutes 

10 hours 

Duration 




TABLE 17 
Phase Durations 
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E2) The probability of Category III weather at JFK is 
taken to be .011 (see [11] , p.173) . 

For the fixed values of Cl, C2, and E2 indicated above 

and for choices of C3 and El as indicated in Table 18, 14 

specific systems were evaluated (denoted S , S 2 , . . . .S^) . 

For each system S., the resulting performability p is 

1 - fa i 

also presented in Table 18 , where the entry corresponding to 
system and accomplishment level a^ is the probability p s (a 
summarize the calculation of p c (a . ) : 

= 


TO 


1) The base model trajectory set fj. 

is expressed as a union of & j J rr " :r -‘ 

Cartesian trajectory sets (see Table 15; these sets 
are common to each of the 14 specific systems)., 

:: ! . • ' j j : " . ' ‘ 

2) The initial state distribution of S. determines the 

initial state vector 1(0). The flight of S., , 

With its associated phase durations, determines the 
specific nature of the transition matrices ' P ( 1 ),.-.. , 
P(8) and H (1) , . . . ,H (7) derived in Section 3.3.4. 


3) For each Cartesian component V of U a . V is repre- 
sented by the characteristic matrices! G (1) , . . . ,G (7) 
and F(8) (see [3] , pp. 59-60) and Pr[V] is computed 
- by the formula 


Pr [V] = 1(0) 


( " 

\m-l 


P(m)G(m)H(m) j P(8)F(8) . 


) 


(See [3], p.68. Theorem 3.) 


4) The performability of S^ relative to level a . is 
the sum, over all V in U of the Pr[V], i.e?, 

a j 

Pc (a •) = X>r[V] - . 

i 3 Ve u I' - ' : , 

• 3 , . 

Step 2) of the procedure outlined above was aided by 
METAPHOR wherein the DEDFAIL transition matrix generator 
function was employed to obtain the intraphase transition 
matrices P (m) . The interphase transition matrices H (m) 
entered via the GIVEN command. In step 3), the matrices G (m) 


I 


Key: ' - : 

‘ Economic Operational Change in 

Penalties Penalties Mission Profile Fatalities 

a No - No No . No 

Yes No No J No 

Maybe Yes No No 

a_ Maybe Maybe Maybe No 

a^ Maybe Maybe Maybe • : . Yes 


System 

KgHg 

El 

Flight 

Accomplishment Level 


a 0 

a l 


a 3 

a „ 

s i 

Det (6, 6) 

Lon-NY 

9.96xl.0 _1 

3.80 x 10*" 3 

-12 

3.78x10 

6.02X10 -6 

1.95X10 -12 

S 2 TL 

Det(6, 5) 

Lon-NY 

9. 96X10” 1 

3 . 80xl0~ 3 

-12 

3.79x10 f 

: 6.02X10 -6 

-12 

1.95x10 

s 3 ; 

Det (6 ,4) 

Lon-NY • 

9 .96x10*" ^ 

3.80xl0~ 3 

1 . 33 x 10“ 10 

■ 

-6 

6.05X10 

2.97xl0 _12 

S 4 

Det (5,6) 

Lon-NY 

• ’ ; ’ 1 ••■■■■. 

0 

9.97 x 10 -1 

1.03 x 10~ 9 

3.17X10 -3 

1.55xl0 -9 

s s J J_ 

'll ■ ! !■■■ . : 

Det (5 , 5 ) 

Lon-NY 

0 1 

9.97xl0~v 

1 . 03 x 10~ 9 

•3.17X10" 3 

1 . 55xl0~ 9 

' S 6 1 

Det (5, 4) 

Lon-NY 

: 

0 

1 -i 

9.97x10 

1.16X10 -9 

3.17X10 -3 

-■ -1 

1.55x10 " 9 

S 7 

Det (6,6) 

TA-NY 

9.94xl0 _lr 

6.0 3xio" 3 

It -12 

6.07x10 

1.52xl0 -5 

1.30X10 -11 


TABLE 18 

Performability Results 
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System 

mi 

El 

Flight 

Accomplishment Level 

a 0 

. a l 



1 a 4 

S 8 ZI.I 

1 Det (6,5) 

TA-NY 

-1 

9. 94, *10 

6.03xl0" 3 

6.12xl0" 12 

1. 52xl0~ 5 

mi 

S 9 

Det (6,4) 

TA-NY 

9.94xl0'* 1 

6. 03xl0~ 3 

2.09xl0“ 10 

1.53xlo" 5 

• ' 

1.7 1x10 _11 

S 10 

Det (5, 6) 

TA-NY 

0 

9.95X10" 1 

1 

1.03xl0" 9 

5.03X10" 3 

7.15xl0 -9 

S 11 

Det (5, 5) 

l! ...i . 

TA-NY 

0 

9.95X10" 1 

1.03xl0 -9 


7.15xl0" 9 

S 12. 

Det (5 ,4) 

t 

i; ; 

TA-NY 

0 

9.95xl0 -1 

1.23xl0" 9 - 

i 1 J . ' • . 

5.03xlo" 3 

7.15xl0 -9 

S 13 

. I ! ' , i 

. h ; 

TA-NY 

7. 95x10" 1 

2.04x10" L 

2. 18x1 0" 10 

1.02xl0 -3 

1,44x10" 9 

S 14 

X 2 

TA-NY 

8.95xl0 _1 

l.OSx^o" 1 

1 l.lOxlO" 10 

5.17xl0~ 4 

7.26xl0~ 10 . 


• ! ; ;!•• j 

. ~\ < . * 

I 

TABLE 18 - Continued 
Performability Results 















































The 


and F (8 ) were likewise entered via the GIVEN . command . 
calculations of step 3) and step 4) were executed by METAPHOR 
programs . 

4 We make no attempt at this time to interpret the per- 
formability results of Table 18. The intent of this evaluation 
exercise was to further establish the practicality of per- 
formability evaluation as it applies to aircraft computing 
systems, and we believe this has been achieved- by the effort 
reported herein. However, having developed this model, hierarchy 
we plan to obtain further evaluation data by choosing other 
values of parameters C1-C3 and E1.-E2. This data, along with 
tLe performability results of Table 18, will then be examined. 

I ;• ' ' r . 

for possible implications regarding the design and use of the 
SIFT computer. 
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